-- Amir Herzberg <herzbea (at) macs.biu.ac (dot) il [email concealed]> wrote:
> Here is a simple question: should web login forms be always protected
> by SSL?

Let me check to see if I understand what you are asking. Do you mean
something like:

login form at http://www.site.org/login.html with a login form that
submits to something like https://secure.site.org/auth.cgi?

In my opinion the login form doesn't need to be protected with SSL, but
the form MUST submit to a SSL protected page if there is any data of
any value being transmitted. I don't see how adding SSL to the form
page directly increases security or results directly in any
vulnerability. I am by not an expert though.

> As a crypto/security expert, my answer is yes. I think this is
> necessary, to protect against MITM attacks, as well as from the more
> common and easy phishing, pharming, and other forms of spoofing
> attacks,

I don't see how SSL-protecting the login form would protect you from
MITM attacks if the form is submitting to a SSL protected page.

The main issue in my opinion is that unprotected forms makes it
impossible to properly educate users aboute what a 'secure' versus
non-secure site is. For example it is impossible for me tell my
clients that they should only login to sites with the padalock
displayed by the the browser when the login page at their bank doen't
show up as being SSL protected until after the users has clicked the
login button.

I am like you though. I think the login forms should be protected as
well. If only because it helps users know what forms are and are not
SSL-protected.

Chris

[ reply ]