WebApp Sec mailing list archives

Re: Growing Bad Practice with Login Forms

From: Konstantin Ryabitsev <icon () phy duke edu>
Date: Tue, 27 Jul 2004 10:12:10 -0400

On Tue, 2004-07-27 at 09:55 -0400, Mark Curphey wrote:

But at that point its too late. The check for server authentication is done
after I have sent by username and password. This IMHO is a bad practice that
has started to creep into other sites including online banking.


Not really. SSL verification is done before the HTTP headers are sent to
the server (same reason why you can't have name-based SSL virtual
hosting), so if there is SSL cert mismatch, your browser will alert you
and if you cancel the connection then, the server won't see any of your
data.

In fact, presenting the login form on the SSL page won't win you
anything, since there is no guarantee that you will submit your data to
the same SSL-enabled server than the one that sent you the login form.

Regards,
-- 
Konstantin Ryabitsev
Duke University Physics

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
  - Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
  - Re: Growing Bad Practice with Login Forms Devin Heitmueller (Jul 27)
    - Re: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
    - Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 27)
    - Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 27)
    - Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
    - Re: Growing Bad Practice with Login Forms Ivan Ristic (Jul 28)
  - RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
    - RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Ian (Jul 27)

(Thread continues...)