Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Should login pages be protected by SSL?

from [bluewizard83-de4gahsh] Network Security [Permanent Link]
Subject: RE: Should login pages be protected by SSL?
Date: Sun, 26 Jun 2005 21:26:11 -0700 (PDT) 
I wouldn't really call META redirects insecure really, depending on
what your doing.  The usage that spawned the referenced post though
indicates a possible bad design.  (Using a meta redirect to make sure a
user is on the 'secure' site.)

Using META tags depends on the browser doing what you want it to do. 
Unfortunatly what the browser actually does do is completely outside
your control.  Depending on a clients browser to do something related
to security is a very bad idea.  Whenever possible you should implement
things on server side and not depend on the the client for anything
releated to security.  Also a HTTP redirect usually is a bit more
efficient then sending a page with a META redirect or javascript
redirect.

Chris


--- Simon Zuckerbraun <szucker@sst-pr-1.com> wrote:


Saqib,

Could you explain for me what the insecurity is in REFRESH meta tags?

Many thanks,
Simon


Using REFRESH Meta tags, are very unsecure practice, for obvious
reasons. Redirects to HTTPS should always be performed using URL
REWRITEs on the server side.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Should login pages be protected by SSL?, Michael Silk
Next by Date:  RE: Should login pages be protected by SSL?, Lyal Collins
Previous by Thread:  RE: Should login pages be protected by SSL?, Simon Zuckerbraun
Next by Thread:  RE: Should login pages be protected by SSL?, Michael Tsentsarevsky
Indexes:  [Date] [Thread] [Top] [All Lists]