RE: Should login pages be protected by SSL?

["Hellman, Matthew" <Hellman.Matthew () principal com>]

A coworker and I were discussing this thread and it dawned on us why so
many companies probably do this (we did a quick survey, this is not
uncommon and many of the companies are fortune 500).  The login form is
right on the main web page.  Obviously this has more implications from a
performance perspective than some random URL on your site specifically
used for login. I still stand by my opinion, but that might at least
explain why it's so common.

Matt

-----Original Message-----
From: Hellman, Matthew 
Sent: Friday, June 24, 2005 8:13 AM
To: webappsec () securityfocus com
Subject: RE: Should login pages be protected by SSL?

What exactly is the situation we're discussing in this thread?  I
believe it to be sites that present a login form without using SSL, but
then encrypt everything thereafter (including the actual login form
data). In this context, it's hard to believe that using SSL to protect
the login page itself is so "expensive" as to outweigh the advantages of
using it.

1) SSL _can_ protect users from phishing and pharming, although I think
everybody agrees it won't it most cases. If your users fall victim to
this type of attack and you didn't at least offer the ability to
validate the login page using an SSL certificate...could you be liable?

2) The "padlock" is a well understood concept to many Internet users.
I'm not so sure these same people understand how their information is
being protected when the login form has no padlock, but the form posts
to a secure URL.  Of course, I've seen some sites that fix this problem
by just putting a big padlock image on the page;-)  Speaking of which, I
better secure this email before I forget.
  ___
 /___\  
//   \\
=======
|     |
|     |
======= 

IMHO, the short answer is that if you need SSL to protect the
credentials and content of your site...you should also protect the login
page itself.

Matt


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect () principal com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.