|
WebApp Sec
mailing list archives
Re: Should login pages be protected by SSL?
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 11:50:45 +0200
maburns () safenet-inc com wrote:
The login page cannot be protected by SSL until after the authentication is
complete. Once the user is authenticated then all information sent between
the server and remote user is in a ssl encrypted tunnel until the session is
ended.
This may be a bit misleading to readers not sufficiently familiar with
SSL, so let me clarify. The SSL tunnel is established using the server's
certificate (and optionally- and rarely used - using client's
certificate). All traffic, including user authentication if using cookie
or password, is inside the tunnel.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
 By Date 
By Thread
Current thread:
- Re: Should login pages be protected by SSL?, (continued)
RE: Should login pages be protected by SSL? maburns (Jun 20)
Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
RE: Should login pages be protected by SSL? Derick Anderson (Jun 21)
RE: Should login pages be protected by SSL? Cowles, Robert D. (Jun 21)
|
Intro
