WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Hellman, Matthew" <Hellman.Matthew () principal com>
Date: Fri, 24 Jun 2005 11:02:23 -0500
A coworker and I were discussing this thread and it dawned on us why so many companies probably do this (we did a quick survey, this is not uncommon and many of the companies are fortune 500). The login form is right on the main web page. Obviously this has more implications from a performance perspective than some random URL on your site specifically used for login. I still stand by my opinion, but that might at least explain why it's so common. Matt -----Original Message----- From: Hellman, Matthew Sent: Friday, June 24, 2005 8:13 AM To: webappsec () securityfocus com Subject: RE: Should login pages be protected by SSL? What exactly is the situation we're discussing in this thread? I believe it to be sites that present a login form without using SSL, but then encrypt everything thereafter (including the actual login form data). In this context, it's hard to believe that using SSL to protect the login page itself is so "expensive" as to outweigh the advantages of using it. 1) SSL _can_ protect users from phishing and pharming, although I think everybody agrees it won't it most cases. If your users fall victim to this type of attack and you didn't at least offer the ability to validate the login page using an SSL certificate...could you be liable? 2) The "padlock" is a well understood concept to many Internet users. I'm not so sure these same people understand how their information is being protected when the login form has no padlock, but the form posts to a secure URL. Of course, I've seen some sites that fix this problem by just putting a big padlock image on the page;-) Speaking of which, I better secure this email before I forget. ___ /___\ // \\ ======= | | | | ======= IMHO, the short answer is that if you need SSL to protect the credentials and content of your site...you should also protect the login page itself. Matt -----Message Disclaimer----- This e-mail message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply email to Connect () principal com and delete or destroy all copies of the original message and attachments thereto. Email sent to or from the Principal Financial Group or any of its member companies may be retained as required by law or regulation. Nothing in this message is intended to constitute an Electronic signature for purposes of the Uniform Electronic Transactions Act (UETA) or the Electronic Signatures in Global and National Commerce Act ("E-Sign") unless a specific statement to the contrary is included in this message.
Current thread:
- RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? Derick Anderson (Jun 21)
- RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
- RE: Should login pages be protected by SSL? Glenn Euloth (Jun 22)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)
- RE: Should login pages be protected by SSL? Levenglick, Jeff (Jun 23)
- RE: Should login pages be protected by SSL? Flanagan, Kevin (Jun 23)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)