RE: Should login pages be protected by SSL?

[Simon Zuckerbraun <szucker () sst-pr-1 com>]

Actually, there's at least one scenario in which remote sniffing is 
pretty likely: at a Wi-Fi hotspot. Traffic not encrypted with SSL can 
often get sniffed without difficulty. In this scenario, SSL encryption 
provides a huge benefit.

<soapbox>
I'd like to add another point. Some may disagree and I'm open to debate 
on this matter. In a world without SSL, it would be easy to glean lots 
of sensitive user information by hacking into local ISPs and sniffing 
traffic. The whole reason that hackers aren't into doing this is that 
everything that's even mildly sensitive goes through SSL tunnels, so 
hacking the ISP yields very little. But if we all stopped using SSL, 
"Joe ISP" would become quite an attractive target, and it would become 
commonplace for arbitrary intermediate network nodes to get attacked. 
Personally I'm glad I don't have to worry whether or not my ISP is 
properly secured.
</soapbox>

Simon

> -----Original Message----- From: Michael Tsentsarevsky
> [mailto:michael.t () zahav net il] Sent: Monday, June 27, 2005 4:18 AM 
> To: webappsec () securityfocus com Subject: RE: Should login pages be
> protected by SSL?
>
>
> The only benefit of SSL as I see it today is the ability to protect a
> private transaction, by creating an encrypted tunnel - browser to
> server.
>
> This is a good protection in an enterprise environment where there is
> a chance of another employee sniffing the user's connection.
>
> As a fact remote sniffing of data is almost impossible, unless you
> gain control of the user's computer, the server or a network device
> between the two.
>
> In the first two scenarios (client or server owning) you have the
> information already - no need for sniffing. The third scenario
> (network device in the middle) is very unlikely to happen.
>
>
> SSL is the same HTTP, just encapsulated in an encrypted tunnel -
> nothing more, nothing less.