Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Non SSL Bank Login Forms

from [James Strassburg] Network Security [Permanent Link]
Subject: RE: Non SSL Bank Login Forms
Date: Fri, 19 May 2006 12:05:19 -0500 
This bothers me a great deal too.  When my bank first did this I viewed
the page source to make sure that the post secure.  This is not possible
for novice users.  Where I work, we train employees on security and part
of that training involves teaching them to look for the SSL lock.
Afterwards, I usually get a few people asking about their bank's website
because there is no lock icon.  It seems that more and more banks (and
other sites) want the login form on the start page but they don't want
SSL there.

It seems to me that the way browsers handle SSL notification is a bit
flawed.  When visiting a page, I really don't care about how the page
I'm viewing arrived.  I care about how the forms I type information into
are going to leave my machine.  Instead of the SSL lock icon in
browsers, how about doing something similar for the form input boxes.
The browser could check the post action for a match to https://.* or
check the current connection if the protocol is not specified in the
action.  The hard part would be manipulating the control in a way that a
malicious site (or XSS attack) couldn't also do so using javascript.

Perhaps the SSL icon could be accompanied by a warning message (like the
certificate warning) when there is any form on the page that will post
insecurely.

On a somewhat related topic, I'd also like a warning when I'm posting to
a different domain.


James Strassburg

-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj@greebo.net] 
Sent: Friday, May 19, 2006 12:19 AM
To: wilson.amajohn@gmail.com; Webappsec ((((E-mail))))
Subject: Re: Non SSL Bank Login Forms

I work at a bank, and I find this frustrating as well.

It is not secure from a phishing perspective - it's how the phishers can
make their "password reset" forms look realistic as you have an implied
trust of the (possibly) real page underneath.

Having a SSL based page one level deep is a good security idea and I'm
terribly frustrated with banks that don't do that. Luckily, the place I
work does this... but for a bad reason. The use a pop up to hide the
address bar for no good reason. Luckily, IE 7 prevents this absolutely,
so I'm absolutely chuffed. Thank you Microsoft! You helped me win an
argument. :)

thanks,
Andrew

On 19/05/2006, at 12:57 AM, wilson.amajohn@gmail.com wrote:


Hello all, my question is how can a form have a field that is secure 
without using SSL.  From my web programming experience I cannot 
understand a Bank's claim that their login form is secure when there 
is no SSL used.  "Signing on to secure sites from an unsecure page is 
a common industry practice"  The POST data has to get to the server if



SSL is not used how can they claim it is secure?  I hope I have 
clarified my question enough

Thanks

John



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  WAF learning ability limitation?, matt farey
Next by Date:  Re: http/spnego connections, Saqib Ali
Previous by Thread:  Re: Non SSL Bank Login Forms, Jason Muskat
Next by Thread:  Re: [WEB SECURITY] Execution before Authentication Vulnerabilities, Ryan Barnett
Indexes:  [Date] [Thread] [Top] [All Lists]