Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Should login pages be protected by SSL?

from [warnings] Network Security [Permanent Link]
Subject: Re: Should login pages be protected by SSL?
Date: Tue, 28 Jun 2005 21:50:05 -0700 
Inline

----- Original Message ----- From: "dave kleiman" <dave@isecureu.com>
To: <webappsec@securityfocus.com>
Sent: Sunday 26 June 2005 11:07 AM
Subject: RE: Should login pages be protected by SSL?


Inline

-----Original Message-----
From: Michael Tsentsarevsky [mailto:michael.t@zahav.net.il]


1. I am sorry to say, but the SSL protocol had become a
"security stamp"
for a web site.
That is' if the site's owner had spent the 2k
bucks for a certificate, most of the users will think the web
site is "secured"
(talk about users education). In real life nothing is farther
from the truth!

At present it is an excellent layer of protection and encryption for the
individual transaction. It is the only common well known one we have. There
are a few companies that make products to add layers of protection to the
SSL.
The Certs are only about $150 not $2000.


Make that $30.  Paying for a "higher quality" certificate is a joke.  Once
most consumers see the lock they assume it is secure.  I cannot see the
average consumer taking the time to research a certificate to see if they
ran a credit check on your business and such.

In the end, what you get with SSL is the lock symbol and some level
of encryption on communication.  Even encrypted data could be
cracked with a bit of patience (or less if the lesser SSLs get used).

As for encrypting the login page, that is a minor issue.  But doing
so creates the lock and this improves consumer perception.  While
perception is not security, remember that some of use make money
doing this and hence consumer perception matters.  Consumers want
to see the lock when they type in their credit card number.  Consumers
are not typically going to look at the code for the form submission to
see if it uses http or https.  What is necessary and what is perceived
matter equally.

That said, it matters little from a security perspective, but when I ask
for your credit card info I want you to feel as comfortable as possible.

Additionally, there is always the possibility that some type of crack of
a site will be caught because the browser complains that it is submitting
data from a secure page to an insecure link.  Hence securing the login
page can slightly raise the bar on security.  But it is neither necessary
nor sufficient for security.  Yet, if it increases consumer confidence then
it has its own value.  And for $30 a year if you gain one or two small
sales then it has paid for itself.

some thoughts,

Sean

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  OT: Review of CISSP Training Material, Saqib Ali
Next by Date:  Call for Paritipation: C.I.P.H.E.R Contest, Maximillian Dornseif
Previous by Thread:  RE: Should login pages be protected by SSL?, dave kleiman
Next by Thread:  Re: Should login pages be protected by SSL?, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]