WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: <warnings () envisagement com>
Date: Tue, 28 Jun 2005 21:50:05 -0700
Inline----- Original Message ----- From: "dave kleiman" <dave () isecureu com>
To: <webappsec () securityfocus com> Sent: Sunday 26 June 2005 11:07 AM Subject: RE: Should login pages be protected by SSL?
Inline-----Original Message----- From: Michael Tsentsarevsky [mailto:michael.t () zahav net il]1. I am sorry to say, but the SSL protocol had become a "security stamp" for a web site. That is' if the site's owner had spent the 2k bucks for a certificate, most of the users will think the web site is "secured" (talk about users education). In real life nothing is farther from the truth!At present it is an excellent layer of protection and encryption for theindividual transaction. It is the only common well known one we have. Thereare a few companies that make products to add layers of protection to the SSL. The Certs are only about $150 not $2000.
Make that $30. Paying for a "higher quality" certificate is a joke. Once most consumers see the lock they assume it is secure. I cannot see the average consumer taking the time to research a certificate to see if they ran a credit check on your business and such. In the end, what you get with SSL is the lock symbol and some level of encryption on communication. Even encrypted data could be cracked with a bit of patience (or less if the lesser SSLs get used). As for encrypting the login page, that is a minor issue. But doing so creates the lock and this improves consumer perception. While perception is not security, remember that some of use make money doing this and hence consumer perception matters. Consumers want to see the lock when they type in their credit card number. Consumers are not typically going to look at the code for the form submission to see if it uses http or https. What is necessary and what is perceived matter equally. That said, it matters little from a security perspective, but when I ask for your credit card info I want you to feel as comfortable as possible. Additionally, there is always the possibility that some type of crack of a site will be caught because the browser complains that it is submitting data from a secure page to an insecure link. Hence securing the login page can slightly raise the bar on security. But it is neither necessary nor sufficient for security. Yet, if it increases consumer confidence then it has its own value. And for $30 a year if you gain one or two small sales then it has paid for itself. some thoughts,Sean
Current thread:
- RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Hellman, Matthew (Jun 24)
- RE: Should login pages be protected by SSL? Simon Zuckerbraun (Jun 25)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)