Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [summary] Re: Should login pages be protected by SSL?

from [Devdas Bhagat] Network Security [Permanent Link]
Subject: Re: [summary] Re: Should login pages be protected by SSL?
Date: Fri, 24 Jun 2005 01:54:19 +0530 
On 23/06/05 00:12 +0200, Ole Kasper Olsen wrote:

On Wed, 22 Jun 2005 14:35:01 +0200, Steve Shah <sshah@risingedge.org> wrote:


Amir Herzberg asked the question of "should login pages be SSL
encrypted". The flurry of discussion can be summerized as "Yes"
with the following details:

...

2. Most people believe that a login page *should* be encrypted
   for web sites carrying important data. (e.g., financial, etc.)


Encryption is not the point. Authentication is. A login page will
never contain sensitive data anyway and as long as the form is
submitted to a secure server, the data is encrypted just fine. A
problem arises when a customer is tricked into entering credentials at
an a bogus site.


If the login form is itself protected by https, then the bar for a
phish is raised to getting a certificate for that domain. With a plain
text login page, the bar for attacking is much lower.

Raising the bar, even by a little bit, helps a lot. Burning through
expensive certificates is a lot more expensive than bulk buying domains,
or just hosting on a free site.

Devdas Bhagat
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Java keystore password storage, Scott, Richard
Next by Date:  Top Ten Information Security Considerations for Use Case Modeling, Gunnar Peterson
Previous by Thread:  Rephrased: Should login pages be protected by SSL - although it won'thelp most users?, Amir Herzberg
Next by Thread:  Re: [summary] Re: Should login pages be protected by SSL?, Michael Silk
Indexes:  [Date] [Thread] [Top] [All Lists]