WebApp Sec: Re: Should login pages be protected by SSL? (and comment to moderator)

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: Should login pages be protected by SSL? (and comment to moderator)

From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 17:12:00 +0200

Andrew, thanks a lot! But, actually, I didn't find in this document aspecific requirement to (use SSL to) authenticate the form used torequest the credit card number. One may argue that the document allowsan implementation that invokes SSL only to encrypt the credit card afterthe customer filled it in, and not to authenticate the form. Of course Ido _not_ recommend this and I think this is vulnerable to many commonspoofing attacks; but as I noted, there are important sites that takethis approach.

So if there is a specific requirement to send an authenticated page,I'll really appreciate it.

Comment to moderator: sending to this list results in a crazy number ofbounces... you may want to consider pruning them or even better, sendingwith the name of the list not of the submitter...


Best, Amir

Andrew van der Stock wrote:

Amir,
it's required. See Attachment A from the PCI Guidelines. It's veryclear, particularly on page two with the diagram. If you deal with CCnumbers, you must encrypt the communications over the Internet.
Eg, for the asia-pac region:
http://www.visa-asia.com/secured/includes/AP_Encrypt_Clarification.pdf

thanks,
Andrew

On 21/06/2005, at 8:07 PM, Amir Herzberg wrote:
The Visa/MC PCI guidelines are quite stringent on applyingreasonable controls to this data.
Well, actually, I've worked with the card people a lot but am notaware of a specific requirement to use SSL to protect the form sentto the consumer and not just to protect the CC# in transit. Do youknow? If you can give me some reference, I'll appreciate. I can alsoask my contacts. I am very interested, as one of the companies whichuses unprotected login is Amex, and in fact we had a long argumentwith them on these questions...
.


--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages:http://AmirHerzberg.com/shame.html

By Date By Thread

Current thread:

Should login pages be protected by SSL? Amir Herzberg (Jun 20)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
  - Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
    - Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
    - RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
    - Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
    - Re: Should login pages be protected by SSL? Steve Shah (Jun 21)