WebApp Sec mailing list archives

RE: Should login pages be protected by SSL?

From: "Ernest Nelson" <juridian () juridian com>
Date: Mon, 27 Jun 2005 12:22:30 -0700

I generally stick in some server side code that checks for the use of ssl on
pages that need it.  One library function applied to all pages that need it
can force the use of ssl on all of those pages...no worries about people
messing with client side tags or code.

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Monday, June 27, 2005 9:38 AM
To: Michael Tsentsarevsky
Cc: webappsec () securityfocus com
Subject: Re: Should login pages be protected by SSL?

Could you explain for me what the insecurity is in REFRESH meta tags?


I have nothing against META REFRESH :) . It is just that using them
for redirecting the users from http:// to https:// is a bad bad
design. The Meta referesh tag can be intercepted, or stopped
completely. Plus, the execution of the META tags depends on the
browser, and not the server.

You would have to make sure that you put REFERESH on all the web pages
for something that can be easily done using one URL rewrite statement
on the webserver.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/

Current thread:

RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
  - RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
  - Re: Should login pages be protected by SSL? Yanglei (Jun 26)
    - Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
  - RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
    - RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
    - RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
    - Re: Should login pages be protected by SSL? warnings (Jun 28)
  - Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
    - RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
    - Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
    - Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 27)
- RE: Should login pages be protected by SSL? Michael Gargiullo (Jun 27)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 28)