RE: Should login pages be protected by SSL?

["dave kleiman" <dave () isecureu com>]

> At present it is an excellent layer of protection and
> encryption for the
> individual transaction. It is the only common well known one
> we have. There
> are a few companies that make products to add layers of
> protection to the
> SSL. The Certs are only about $150 not $2000.
>
> [LC]
> In Australia, Verisign SGC certs are about A$1750 or ~$1400US


Well a SGC is $450 here, I was not aware of the rip-off over there, how
about Thawte?
http://www.thawte.com/buy/index.html




> > 2. IDS are network security devices that can intercept hackers that
> > are trying to manipulate data on a web site (sometimes at least).
> > Using SSL will render the IDS useless, because it will not
> be able to
> > intercept hacking patterns against the site - as the data will be
> > encrypted. That will enable the hacker to do his bidding
> without fear.
>
> You might want to do a little research here, on how to use
> your particular
> IDS/IPS with SSL (SSL Accelerator etc.) or find one that has
> that feature
> available.
>
> [LC] I'd love to see more products/packages with this capability too.


Any external SSL Accelerator will decrypt prior to the server.


> > Using SSL is sometimes good, but not in all cases.
>
> Could you give us an example of when it would be bad to use
> SSL instead of
> no encryption at all?
>
> [LC] Linking unsuspecting users to a HTTPS web page, via the HTTP link
> deception process of your choice, that's  loaded with
> infecting Trojans and
> bypass the Proxy/malware sweeper, IDS/IPS and some browser AV
> plugins. Maybe
> a bit far fetched, but possible in seconds flat.
> Lyal


Once it hits the machine, it is decrypted, therefore your AV, spyware etc.
is going to detect it. Unless you are suggesting that it stores an encrypted
virus on your system, well I guess I would be safe as long as do not decrypt
it?

Of course I should be asleep right now, so if I make a delusional statement,
please forgive me.