WebApp Sec mailing list archives
RE: Should login pages be protected by SSL?
From: "Michael Tsentsarevsky" <michael.t () zahav net il>
Date: Sun, 26 Jun 2005 16:46:22 +0300
There are a few other considerations: 1. I am sorry to say, but the SSL protocol had become a "security stamp" for a web site. That is' if the site's owner had spent the 2k bucks for a certificate, most of the users will think the web site is "secured" (talk about users education). In real life nothing is farther from the truth! SSL secured sites are leaking user and company information and SSL is not the element to protect against it. Good coding and proper site configuration and architecture are the key for E-commerce security. How many information exposures you know that was caused by sniffing the user's credentials over the net? Now, how many was caused by SQL injection, XSS and other security weaknesses? SSL is the fig leaf; bad written sites are using to cover their nudity, nothing more. 2. IDS are network security devices that can intercept hackers that are trying to manipulate data on a web site (sometimes at least). Using SSL will render the IDS useless, because it will not be able to intercept hacking patterns against the site - as the data will be encrypted. That will enable the hacker to do his bidding without fear. 3. SSL was designed to protect the CLIENT by providing a strong identity of the server. But ... most of the users are not familiar with the concepts of PKI and will override the browser's alerts by pressing "Yes" every time the browser is trying to tell them there is a problem with a site. Using SSL is sometimes good, but not in all cases. -----Original Message----- From: Amir Herzberg [mailto:herzbea () macs biu ac il] Sent: Monday, June 20, 2005 7:20 PM To: webappsec () securityfocus com Subject: Should login pages be protected by SSL? Here is a simple question: should web login forms be always protected by SSL? As a crypto/security expert, my answer is yes. I think this is necessary, to protect against MITM attacks, as well as from the more common and easy phishing, pharming, and other forms of spoofing attacks, even usage of a near-typo URL (I just happened to go to citybank.com when my goal was citibank.com, and it took me a while to realize...). But, apparently, not everybody agrees. In fact, some login forms, of very established corporations, are not protected by SSL (or TLS). Whenever I come across such as site, I contact the corporation and ask them to `fix` the page. Few do; most ignore (or reply with typical corporate meaningless reply); but few actually argue, and seriously, that their practice is sound. Now, I didn't hear any argument which I found convincing, of course. In particular, I can't accept that `this is not a major threat`. But I thought maybe this forum can provide more light on this matter. Comments? Opinions? BTW, I keep a `hall of shame` web page listing these sites that ignore my warning or actually told me they don't consider this a security problem. I also keep Q&A on phishing/spoofing, and some other related resources (in particular I lead the development of TrustBar, an browser extension to help identify sites securely). See all this in my site. -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)
- Re: Should login pages be protected by SSL? James Barkley (Jun 23)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 23)
- Re: Should login pages be protected by SSL? Eoin Keary (Jun 24)
- RE: Should login pages be protected by SSL? Levenglick, Jeff (Jun 23)
- RE: Should login pages be protected by SSL? Flanagan, Kevin (Jun 23)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)
- Re: Should login pages be protected by SSL? Bob Radvanovsky (Jun 22)