Here is a simple question: should web login forms be always protected by
SSL?
As a crypto/security expert, my answer is yes. I think this is
necessary, to protect against MITM attacks, as well as from the more
common and easy phishing, pharming, and other forms of spoofing attacks,
even usage of a near-typo URL (I just happened to go to citybank.com
when my goal was citibank.com, and it took me a while to realize...).
But, apparently, not everybody agrees. In fact, some login forms, of
very established corporations, are not protected by SSL (or TLS).
Whenever I come across such as site, I contact the corporation and ask
them to `fix` the page. Few do; most ignore (or reply with typical
corporate meaningless reply); but few actually argue, and seriously,
that their practice is sound.
Now, I didn't hear any argument which I found convincing, of course. In
particular, I can't accept that `this is not a major threat`. But I
thought maybe this forum can provide more light on this matter.
Comments? Opinions?
BTW, I keep a `hall of shame` web page listing these sites that ignore
my warning or actually told me they don't consider this a security
problem. I also keep Q&A on phishing/spoofing, and some other related
resources (in particular I lead the development of TrustBar, an browser
extension to help identify sites securely). See all this in my site.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
SSL?
As a crypto/security expert, my answer is yes. I think this is
necessary, to protect against MITM attacks, as well as from the more
common and easy phishing, pharming, and other forms of spoofing attacks,
even usage of a near-typo URL (I just happened to go to citybank.com
when my goal was citibank.com, and it took me a while to realize...).
But, apparently, not everybody agrees. In fact, some login forms, of
very established corporations, are not protected by SSL (or TLS).
Whenever I come across such as site, I contact the corporation and ask
them to `fix` the page. Few do; most ignore (or reply with typical
corporate meaningless reply); but few actually argue, and seriously,
that their practice is sound.
Now, I didn't hear any argument which I found convincing, of course. In
particular, I can't accept that `this is not a major threat`. But I
thought maybe this forum can provide more light on this matter.
Comments? Opinions?
BTW, I keep a `hall of shame` web page listing these sites that ignore
my warning or actually told me they don't consider this a security
problem. I also keep Q&A on phishing/spoofing, and some other related
resources (in particular I lead the development of TrustBar, an browser
extension to help identify sites securely). See all this in my site.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
[ reply ]