WebApp Sec: Re: Should login pages be protected by SSL? (and comment to moderator)

[Andrew van der Stock <vanderaj () greebo net>]

On page two, it says for clients / card holders / admins / POS / ATM  
they state:
"1 Network (e.g. Internet) – must have authentication and encrypted  
communication to web and/or application server"
I don't think they get much clearer than that. MUST to my standards  
jaundiced eye means "no exceptions". AND means both authentication  
and encryption at the same time. So basically, I think that covers  
off SSL logins - in my book, Visa / MC require it for Internet  
websites - no exceptions.
thanks,
Andrew

ps. On the bounces, ezmlm should remove them automatically after 5  
days. But if it doesn't get better, I'll hassle the Symantec admin  
staff to help me as I can't always see who the bounces are.
On 22/06/2005, at 1:12 AM, Amir Herzberg wrote:

> Andrew, thanks a lot! But, actually, I didn't find in this document  
> a specific requirement to (use SSL to) authenticate the form used  
> to request the credit card number. One may argue that the document  
> allows an implementation that invokes SSL only to encrypt the  
> credit card after the customer filled it in, and not to  
> authenticate the form. Of course I  do _not_ recommend this and I  
> think this is vulnerable to many common spoofing attacks; but as I  
> noted, there are important sites that take this approach.
> So if there is a specific requirement to send an authenticated  
> page, I'll really appreciate it.
> Comment to moderator: sending to this list results in a crazy  
> number of bounces... you may want to consider pruning them or even  
> better, sending with the name of the list not of the submitter...
> Best, Amir