SecurityFocus

Should login pages be protected by SSL? Jun 20 2005 04:20PM
Amir Herzberg (herzbea macs biu ac il) (7 replies)

Re: Should login pages be protected by SSL? Jun 21 2005 02:15PM
Saqib Ali (docbook xml gmail com)

Re: Should login pages be protected by SSL? Jun 21 2005 11:40AM
Stefano Di Paola (stefano dipaola wisec it)

Re: Should login pages be protected by SSL? Jun 21 2005 09:14AM
Kalyan Varma (kalyan rtns org)

Re: Should login pages be protected by SSL? Jun 21 2005 06:28AM
bluewizard83-de4gahsh yahoo com

Re: Should login pages be protected by SSL? Jun 21 2005 12:42AM
Andy bentley (andy bentleyconsulting biz)

Re: Should login pages be protected by SSL? Jun 21 2005 12:23AM
Michael Silk (michaelslists gmail com)

Re: Should login pages be protected by SSL? Jun 20 2005 11:41PM
Andrew van der Stock (vanderaj greebo net)

Depends on the value of the system in use.

I help develop forum software, and millions of people use forum
software without SSL every day. In fact, most forum software have a
password equivalent cookie which can lead to complete compromise from
cookie stealing, and yet most users will not give up the convenience
of auto login.

OTOH, where the login leads to private data, such as your name and
address, I feel that corporations have a duty of care to protect your
data under the various privacy acts around the world. The cost of a
certificate is much less than potential litigation, or more to the
point, reputation loss if someone discovers a way around it.

However, if it's a shopping cart type of thing, like Amazon, the
thing that should be SSL is not the browsing of goods, but the
transactions, particularly the credit card and address details. The
Visa/MC PCI guidelines are quite stringent on applying reasonable
controls to this data. In the case of Amazon 1-click, then
effectively the 1-click is the thing requiring protection, so some
form of control around that is also required. So if you're allowed to
browse and add items without SSL (ie you're using some form of
password analog in the cookie), then as soon as you're about to see
some private data, my view is that re-authentication and completing
the transaction over SSL should be required. Going SSL may not
necessarily help with CSRF attacks.

If the corp has COBIT requirements (ie they're using COBIT to do
SOX), then you might have better luck; grab COBIT and see what
controls should have been applied. That usually focuses their
attention, particularly if the application forms part of their
financial systems.

Lastly, if SSL is not used the entire time, then the "Secure" option
of the cookie cannot be used. This is a weakening of an already weak
control, but people shouldn't throw it away to just to save a few
bucks on a certificate.

Andrew

On 21/06/2005, at 2:20 AM, Amir Herzberg wrote:

> Here is a simple question: should web login forms be always
> protected by SSL?

[ reply ]