Actually, there's at least one scenario in which remote sniffing is
pretty likely: at a Wi-Fi hotspot. Traffic not encrypted with SSL can
often get sniffed without difficulty. In this scenario, SSL encryption
provides a huge benefit.
<soapbox>
I'd like to add another point. Some may disagree and I'm open to debate
on this matter. In a world without SSL, it would be easy to glean lots
of sensitive user information by hacking into local ISPs and sniffing
traffic. The whole reason that hackers aren't into doing this is that
everything that's even mildly sensitive goes through SSL tunnels, so
hacking the ISP yields very little. But if we all stopped using SSL,
"Joe ISP" would become quite an attractive target, and it would become
commonplace for arbitrary intermediate network nodes to get attacked.
Personally I'm glad I don't have to worry whether or not my ISP is
properly secured.
</soapbox>
Simon
-----Original Message----- From: Michael Tsentsarevsky
[mailto:michael.t@zahav.net.il] Sent: Monday, June 27, 2005 4:18 AM
To: webappsec@securityfocus.com Subject: RE: Should login pages be
protected by SSL?
The only benefit of SSL as I see it today is the ability to protect a
private transaction, by creating an encrypted tunnel - browser to
server.
This is a good protection in an enterprise environment where there is
a chance of another employee sniffing the user's connection.
As a fact remote sniffing of data is almost impossible, unless you
gain control of the user's computer, the server or a network device
between the two.
In the first two scenarios (client or server owning) you have the
information already - no need for sniffing. The third scenario
(network device in the middle) is very unlikely to happen.
SSL is the same HTTP, just encapsulated in an encrypted tunnel -
nothing more, nothing less.
