|
WebApp Sec
mailing list archives
Re: Should login pages be protected by SSL?
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Tue, 21 Jun 2005 17:52:08 +0200
Saqib Ali wrote:
Hello,
In my opinion protecting the login using SSL is a good idea, and I do
it myself. However it does not prevent from phishing etc. A phishing
site owner can easily get a SSL protected website as well.
I agree; however now this is a question of user awareness and of browser
indicators of site identity and security. I agree, and even have done
usability testing showing, that current browser UI provides inadequet
indicators, definitely for most (naive) users. See paper in my site.
I think a better approach is to use Netcraft Anti-Phishing toolbar <
http://toolbar.netcraft.com/ >
I agree users should install (and be encouraged to install) a browser
extension providing improved security and identification UI. As an
open-source research project, we develop TrustBar, currently for FireFox
and soon also for IE; I'll appreciate your opinion. Download at
https://addons.mozilla.org/extensions/moreinfo.php?id=478.
It clearly displays sites' hosting location, including country,
helping you to evaluate fraudulent urls (e.g. the real citibank.com or
barclays.co.uk sites are unlikely to be hosted in the former Soviet
Union).
The problem is that they go to a centralized server for all this -
privacy and performance concerns, imho...
TrustBar displays name/logo of site and of CA, and allows users to
assign their own name/logo to the site (`petname`).
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
 By Date 
By Thread
Current thread:
|
Intro
