|
WebApp Sec
mailing list archives
Re: Should login pages be protected by SSL?
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 11:53:18 +0200
maburns () safenet-inc com wrote:
> Amazon does use SSL when you are sending the transaction with your credit
> card data info the browser padlock comes up and HTTP"s" confirms you
are in
> a SSL encrypted tunnel from your desktop to their server
Yes, but Amazon does not use SSL to protect the page in your login to
the (critical!) one-click mechanism, see at their site
http://www.amazon.com/exec/obidos/flex-sign-in/ref=gw_bt_oc/002-2834753-6756032?opt=a&page=ordering/one-click-address-sign-in-secure.html&response=one-click-main&method=GET&return-url=one-click-main
or a link from my `Hall of Shame of unprotected login pages`...
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
 By Date 
By Thread
Current thread:
RE: Should login pages be protected by SSL? maburns (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
RE: Should login pages be protected by SSL? maburns (Jun 20)
|
Intro
