Network Security: Detailed info on RE: Should login pages be protected by SSL?

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

RE: Should login pages be protected by SSL?

from [Derick Anderson] Network Security

[Permanent Link]

Subject:	RE: Should login pages be protected by SSL?
Date:	Tue, 21 Jun 2005 16:33:05 -0400

I don't see how SSL-protecting the login form would protect 
you from MITM attacks if the form is submitting to a SSL 
protected page.


It really doesn't, unless the web application uses the same session ID
in the SSL session that it does on the unsecured page (if it in fact
begins a session before authentication).

I am like you though.  I think the login forms should be 
protected as well.  If only because it helps users know what 
forms are and are not SSL-protected.

Chris


I agree as well though my opinion may not count for much. =) Most of the
sites I administer are all SSL, with a port 80 redirect to 443 on the
server. It's a performance hit to be sure, but there's never a question
about what part of my sites are secure.

Derick Anderson.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Should login pages be protected by SSL?, (continued) Re: Should login pages be protected by SSL?, Amir Herzberg Re: Should login pages be protected by SSL?, Torsten Mueller RE: Should login pages be protected by SSL?, Almerindo Graziano Webapp-level protection/detection of Pharming attacks, WebAppSecurity [Technicalinfo.net] RE: Should login pages be protected by SSL?, maburns Re: Should login pages be protected by SSL?, Steve Shah Re: Should login pages be protected by SSL?, Amir Herzberg Re: Should login pages be protected by SSL?, Amir Herzberg RE: Should login pages be protected by SSL?, Cowles, Robert D. Re: Should login pages be protected by SSL?, Steve Shah RE: Should login pages be protected by SSL?, Derick Anderson <= RE: Should login pages be protected by SSL?, Cowles, Robert D. RE: Should login pages be protected by SSL?, Glenn Euloth Re: Should login pages be protected by SSL?, Bob Radvanovsky Re: Should login pages be protected by SSL?, James Barkley Re: Should login pages be protected by SSL?, Saqib Ali Re: Should login pages be protected by SSL?, Eoin Keary RE: Should login pages be protected by SSL?, Levenglick, Jeff RE: Should login pages be protected by SSL?, Flanagan, Kevin RE: Should login pages be protected by SSL?, Hellman, Matthew RE: Should login pages be protected by SSL?, Hellman, Matthew

Previous by Date:	Re: PCI standards & Should login pages be protected by SSL?, Peter Watkins
Next by Date:	RE: Should login pages be protected by SSL?, Cowles, Robert D.
Previous by Thread:	Re: Should login pages be protected by SSL?, Steve Shah
Next by Thread:	RE: Should login pages be protected by SSL?, Cowles, Robert D.
Indexes:	[Date] [Thread] [Top] [All Lists]