WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Lucas Holt <luke () foolishgames com>
Date: Thu, 30 Jun 2005 22:31:29 -0400
On Jun 27, 2005, at 12:38 PM, Saqib Ali wrote:
I have nothing against META REFRESH :) . It is just that using them for redirecting the users from http:// to https:// is a bad bad design. The Meta referesh tag can be intercepted, or stopped completely. Plus, the execution of the META tags depends on the browser, and not the server. You would have to make sure that you put REFERESH on all the web pages for something that can be easily done using one URL rewrite statement on the webserver.-- In Peace,Saqib Ali http://www.xml-dev.com/
Wow.. using a server side redirect is not more secure than a meta refresh. Why? At first glance, the logic would be that meta refresh could be easily changed or the behavior depends on the User Agent. But, in reality the user agent is responsible to handle the HTTP protocol as well. That means it can interpret the redirect header in any way it wants just like the meta refresh. Now it might be easier for a browser plugin to get access to the HTML from the stream with meta refresh easier in a browser than the HTTP headers. I've never written a plugin or "toolbar" for ie so I might be off on that.
The url could be intercepted if its included in HTTP headers because the original request is not over the HTTPS channel regardless of meta refresh or using an http header via a "server side redirect". I think its a common misconception that using server side "commands" is safer. Either way the data could be intercepted and thats why SSL is so important to begin with.
That being said, using a meta refresh creates an additional delay for the client as many have a timeout value, etc. Its cleaner to maintain code to do the refresh server side and the data sent to the client can be smaller. That is a good argument for using server redirections.
Lucas Holt Luke () FoolishGames com ________________________________________________________ FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging) FoolishGames.net (Enemy Territory IoM site)Think PC.. in 2006 you can own an Apple PCintosh. Whats next, windows works?
Current thread:
- RE: Should login pages be protected by SSL?, (continued)
- RE: Should login pages be protected by SSL? bluewizard83-de4gahsh (Jun 27)
- RE: Should login pages be protected by SSL? Michael Tsentsarevsky (Jun 26)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Michael Silk (Jun 26)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 26)
- RE: Should login pages be protected by SSL? Lyal Collins (Jun 27)
- RE: Should login pages be protected by SSL? dave kleiman (Jun 27)
- Re: Should login pages be protected by SSL? warnings (Jun 28)
- Re: Should login pages be protected by SSL? Yanglei (Jun 26)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 27)
- RE: Should login pages be protected by SSL? Ernest Nelson (Jun 27)
- Re: Should login pages be protected by SSL? Lucas Holt (Jun 30)
- Re: Should login pages be protected by SSL? Saqib Ali (Jun 30)