Network Security: Detailed info on Re: Should login pages be protected by SSL?

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Re: Should login pages be protected by SSL?

from [Andrew van der Stock] Network Security

[Permanent Link]

Subject:	Re: Should login pages be protected by SSL?
Date:	Tue, 21 Jun 2005 23:47:07 +1000

Amir,

it's required. See Attachment A from the PCI Guidelines. It's very clear, particularly on page two with the diagram. If you deal with CC numbers, you must encrypt the communications over the Internet.

Eg, for the asia-pac region:
http://www.visa-asia.com/secured/includes/AP_Encrypt_Clarification.pdf

thanks,
Andrew

On 21/06/2005, at 8:07 PM, Amir Herzberg wrote:

The Visa/MC PCI guidelines are quite stringent on applying reasonable controls to this data.

Well, actually, I've worked with the card people a lot but am not aware of a specific requirement to use SSL to protect the form sent to the consumer and not just to protect the CC# in transit. Do you know? If you can give me some reference, I'll appreciate. I can also ask my contacts. I am very interested, as one of the companies which uses unprotected login is Amex, and in fact we had a long argument with them on these questions...

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Should login pages be protected by SSL?, Amir Herzberg Re: Should login pages be protected by SSL?, Andrew van der Stock Re: Should login pages be protected by SSL?, Amir Herzberg Re: Should login pages be protected by SSL?, Andrew van der Stock <= Re: Should login pages be protected by SSL? (and comment to moderator), Amir Herzberg Re: Should login pages be protected by SSL? (and comment to moderator), Andrew van der Stock Re: PCI standards & Should login pages be protected by SSL?, Peter Watkins RE: PCI standards & Should login pages be protected by SSL?, Lyal Collins Re: Should login pages be protected by SSL? (and comment to moderator), Amir Herzberg Re: Should login pages be protected by SSL?, Steve Shah Re: Should login pages be protected by SSL?, Amir Herzberg [summary] Re: Should login pages be protected by SSL?, Steve Shah Re: [summary] Re: Should login pages be protected by SSL?, Ole Kasper Olsen Rephrased: Should login pages be protected by SSL - although it won'thelp most users?, Amir Herzberg

Previous by Date:	WASC-Articles: 'Common Security Problems in the Code of Dynamic Web Applications' By Sverre H. Huseby, contact
Next by Date:	Re: Designing a Code Signining System, Saqib Ali
Previous by Thread:	Re: Should login pages be protected by SSL?, Amir Herzberg
Next by Thread:	Re: Should login pages be protected by SSL? (and comment to moderator), Amir Herzberg
Indexes:	[Date] [Thread] [Top] [All Lists]