Network Security: Detailed info on Re: Should login pages be protected by SSL?

Subject:	Re: Should login pages be protected by SSL?
Date:	Mon, 20 Jun 2005 20:32:41 -0700

Subject:

Re: Should login pages be protected by SSL?

Date:

Mon, 20 Jun 2005 20:32:41 -0700

On Mon, Jun 20, 2005 at 05:16:46PM -0700, maburns@safenet-inc.com wrote:

The login page cannot be protected by SSL until after the authentication is
complete.


This is not true. You can start an SSL session at any point, including
the login page itself. As Andrew said in an earlier post, this is a
good practice if you're dealing with sensitive data.

Once the user is authenticated then all information sent between
the server and remote user is in a ssl encrypted tunnel until the session is
ended. Again the value of the token is it is a "physical device" and must be
present on the users computer for the login to be successful. SSL VPN


I'm not clear on where the SSLVPN advertisement fits into this 
conversation, but 2-factor, SSLVPN, and the use for SSL for encrypting
login pages are all independant variables. An administrator does not
need SSLVPN to secure their web site. 

Somewhat related (but reaching) is the topic of SSL acceleration for
sites that have higher volumes of SSL traffic. There are several
vendors that offer this technology, Google for "ssl acceleration"
for a list.

-Steve

-- 
Steve Shah
sshah@RisingEdge.org

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Should login pages be protected by SSL?, (continued) Re: Should login pages be protected by SSL?, Saqib Ali Re: Should login pages be protected by SSL?, Ian Rogers Re: Should login pages be protected by SSL?, Amir Herzberg Re: Should login pages be protected by SSL?, Achim Hoffmann RE: Should login pages be protected by SSL?, maburns Re: Should login pages be protected by SSL?, Amir Herzberg Re: Should login pages be protected by SSL?, Torsten Mueller RE: Should login pages be protected by SSL?, Almerindo Graziano Webapp-level protection/detection of Pharming attacks, WebAppSecurity [Technicalinfo.net] RE: Should login pages be protected by SSL?, maburns Re: Should login pages be protected by SSL?, Steve Shah <= Re: Should login pages be protected by SSL?, Amir Herzberg Re: Should login pages be protected by SSL?, Amir Herzberg RE: Should login pages be protected by SSL?, Cowles, Robert D. Re: Should login pages be protected by SSL?, Steve Shah RE: Should login pages be protected by SSL?, Derick Anderson RE: Should login pages be protected by SSL?, Cowles, Robert D. RE: Should login pages be protected by SSL?, Glenn Euloth Re: Should login pages be protected by SSL?, Bob Radvanovsky Re: Should login pages be protected by SSL?, James Barkley Re: Should login pages be protected by SSL?, Saqib Ali

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Should login pages be protected by SSL?, Amir Herzberg
Next by Date:	Re: Should login pages be protected by SSL?, Kalyan Varma
Previous by Thread:	RE: Should login pages be protected by SSL?, maburns
Next by Thread:	Re: Should login pages be protected by SSL?, Amir Herzberg
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Should login pages be protected by SSL?, Amir Herzberg

Next by Date:

Re: Should login pages be protected by SSL?, Kalyan Varma

Previous by Thread:

RE: Should login pages be protected by SSL?, maburns

Next by Thread:

Re: Should login pages be protected by SSL?, Amir Herzberg

Indexes:

[Date] [Thread] [Top] [All Lists]