I'll bite - comments inline
-----Original Message-----
From: dave kleiman [mailto:dave@isecureu.com]
Sent: Monday, 27 June 2005 4:08 AM
To: webappsec@securityfocus.com
Subject: RE: Should login pages be protected by SSL?
Inline
-----Original Message-----
From: Michael Tsentsarevsky [mailto:michael.t@zahav.net.il]
1. I am sorry to say, but the SSL protocol had become a "security
stamp" for a web site.
That is' if the site's owner had spent the 2k
bucks for a certificate, most of the users will think the web
site is "secured"
(talk about users education). In real life nothing is farther
from the truth!
At present it is an excellent layer of protection and encryption for the
individual transaction. It is the only common well known one we have. There
are a few companies that make products to add layers of protection to the
SSL. The Certs are only about $150 not $2000.
[LC]
In Australia, Verisign SGC certs are about A$1750 or ~$1400US
SSL secured sites are leaking user and company information and SSL is
not the element to protect against it. Good coding and proper site
configuration and architecture are the key for E-commerce security.
Yes that is true and this is ultimately important, probably even more than
SSL, but definitely not instead of!!
2. IDS are network security devices that can intercept hackers that
are trying to manipulate data on a web site (sometimes at least).
Using SSL will render the IDS useless, because it will not be able to
intercept hacking patterns against the site - as the data will be
encrypted. That will enable the hacker to do his bidding without fear.
You might want to do a little research here, on how to use your particular
IDS/IPS with SSL (SSL Accelerator etc.) or find one that has that feature
available.
[LC] I'd love to see more products/packages with this capability too.
3. SSL was designed to protect the CLIENT by providing a strong
identity of the server. But ... most of the users are not familiar
with the concepts of PKI and will override the browser's alerts by
pressing "Yes" every time the browser is trying to tell them there is
a problem with a site.
Actually SSL was designed to encrypt and protect the transaction between two
systems. Proper education is the key to any type of security. If your users
are having problems grasping the concept point them to this:
http://www.securityfocus.com/archive/105/346322
[LC] Trouble is, which 2 machines?
Using SSL is sometimes good, but not in all cases.
Could you give us an example of when it would be bad to use SSL instead of
no encryption at all?
[LC] Linking unsuspecting users to a HTTPS web page, via the HTTP link
deception process of your choice, that's loaded with infecting Trojans and
bypass the Proxy/malware sweeper, IDS/IPS and some browser AV plugins. Maybe
a bit far fetched, but possible in seconds flat.
Lyal
________________________________________________________
Dave Kleiman, CAS, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE
www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com
