RE: Should login pages be protected by SSL?

["Michael Tsentsarevsky" <michael.t () zahav net il>]

There are a few other considerations:

1. I am sorry to say, but the SSL protocol had become a "security stamp"
for a web site. That is' if the site's owner had spent the 2k bucks for
a certificate, most of the users will think the web site is "secured"
(talk about users education). In real life nothing is farther from the
truth!
SSL secured sites are leaking user and company information and SSL is
not the element to protect against it. Good coding and proper site
configuration and architecture are the key for E-commerce security. How
many information exposures you know that was caused by sniffing the
user's credentials over the net? Now, how many was caused by SQL
injection, XSS and other security weaknesses? SSL is the fig leaf; bad
written sites are using to cover their nudity, nothing more.

2. IDS are network security devices that can intercept hackers that are
trying to manipulate data on a web site (sometimes at least). Using SSL
will render the IDS useless, because it will not be able to intercept
hacking patterns against the site - as the data will be encrypted. That
will enable the hacker to do his bidding without fear.

3. SSL was designed to protect the CLIENT by providing a strong identity
of the server. But ... most of the users are not familiar with the
concepts of PKI and will override the browser's alerts by pressing "Yes"
every time the browser is trying to tell them there is a problem with a
site.

Using SSL is sometimes good, but not in all cases.



-----Original Message-----
From: Amir Herzberg [mailto:herzbea () macs biu ac il] 
Sent: Monday, June 20, 2005 7:20 PM
To: webappsec () securityfocus com
Subject: Should login pages be protected by SSL? 

Here is a simple question: should web login forms be always protected by

SSL?

As a crypto/security expert, my answer is yes. I think this is 
necessary, to protect against MITM attacks, as well as from the more 
common and easy phishing, pharming, and other forms of spoofing attacks,

even usage of a near-typo URL (I just happened to go to citybank.com 
when my goal was citibank.com, and it took me a while to realize...).

But, apparently, not everybody agrees. In fact, some login forms, of 
very established corporations, are not protected by SSL (or TLS). 
Whenever I come across such as site, I contact the corporation and ask 
them to `fix` the page. Few do; most ignore (or reply with typical 
corporate meaningless reply); but few actually argue, and seriously, 
that their practice is sound.

Now, I didn't hear any argument which I found convincing, of course. In 
particular, I can't accept that `this is not a major threat`. But I 
thought maybe this forum can provide more light on this matter. 
Comments? Opinions?

BTW, I keep a `hall of shame` web page listing these sites that ignore 
my warning or actually told me they don't consider this a security 
problem. I also keep Q&A on phishing/spoofing, and some other related 
resources (in particular I lead the development of TrustBar, an browser 
extension to help identify sites securely). See all this in my site.
-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com