Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Should login pages be protected by SSL?

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: Should login pages be protected by SSL?
Date: Mon, 27 Jun 2005 23:10:00 +1000 
Not sure on Thawte costs.

Its my understand that some AV products don't inspect HTTP contents  under
all circumstances - e.g. when the content stays in memory, not written to
disk.  Often, browsers do not cache HTTPS content, thus the disk-based AV
control never sees the malware content until after the infection has
occurred.  Other common AV products never (in my experience) look at HTTP
content at any time - but maybe those products have been updated in recent
months.

Finally, in my experience, few people have AV, spyware and firewall tools.
Those who have separately purchased/licensed such products may be protected,
but the majority are not protected.  If I wanted to get spyware inside a
business' network, I'd do it through a SSL tunnel.

Lyal


-----Original Message-----
From: dave kleiman [mailto:dave@isecureu.com] 
Sent: Monday, 27 June 2005 4:13 PM
To: webappsec@securityfocus.com
Cc: 'Lyal Collins'
Subject: RE: Should login pages be protected by SSL? 




At present it is an excellent layer of protection and encryption for 
the individual transaction. It is the only common well known one
we have. There
are a few companies that make products to add layers of
protection to the
SSL. The Certs are only about $150 not $2000.

[LC]
In Australia, Verisign SGC certs are about A$1750 or ~$1400US



Well a SGC is $450 here, I was not aware of the rip-off over there, how
about Thawte? http://www.thawte.com/buy/index.html





2. IDS are network security devices that can intercept hackers that 
are trying to manipulate data on a web site (sometimes at least). 
Using SSL will render the IDS useless, because it will not

be able to

intercept hacking patterns against the site - as the data will be 
encrypted. That will enable the hacker to do his bidding

without fear.

You might want to do a little research here, on how to use your 
particular IDS/IPS with SSL (SSL Accelerator etc.) or find one that 
has that feature
available.

[LC] I'd love to see more products/packages with this capability too.



Any external SSL Accelerator will decrypt prior to the server.





Using SSL is sometimes good, but not in all cases.


Could you give us an example of when it would be bad to use SSL 
instead of no encryption at all?

[LC] Linking unsuspecting users to a HTTPS web page, via the HTTP link 
deception process of your choice, that's  loaded with infecting 
Trojans and bypass the Proxy/malware sweeper, IDS/IPS and some browser 
AV plugins. Maybe
a bit far fetched, but possible in seconds flat.
Lyal



Once it hits the machine, it is decrypted, therefore your AV, spyware etc.
is going to detect it. Unless you are suggesting that it stores an encrypted
virus on your system, well I guess I would be safe as long as do not decrypt
it?

Of course I should be asleep right now, so if I make a delusional statement,
please forgive me.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Should login pages be protected by SSL?, dave kleiman
Next by Date:  RE: Should login pages be protected by SSL?, Michael Tsentsarevsky
Previous by Thread:  RE: Should login pages be protected by SSL?, Ernest Nelson
Next by Thread:  RE: Should login pages be protected by SSL?, Michael Tsentsarevsky
Indexes:  [Date] [Thread] [Top] [All Lists]