Re: [CGUYS] Importance of secure login page
I agree that the simple thing for the general public is https with a padlock -- I wish all login sites used an https page. If you do not see https & the padlock, you may want to try my trick. Enter a bogus ID and password. Some sites ( such as http://www.chase.com/ChaseCreditCard.html ) return an error page with https and a padlock. Excerpt of what Steve Gibson said in Security Now episode 20: "And so I really think it's a fault of the website designer that they don't move you onto a secure page where the form is being filled out, even though technically it's not that page, it's the page that you're going to submit the data to, which is the next page you go to, which needs to be secure. And similarly, if they put you on a secure page, then it's possible that they could use an unsecure button to accept the data." See the transcript at http://www.grc.com/sn/SN-020.htm for the full discussion. - TD - Original Message From: db <[EMAIL PROTECTED]> To: COMPUTERGUYS-L@LISTSERV.AOL.COM Sent: Thursday, July 19, 2007 1:16:16 PM Subject: Re: [CGUYS] Importance of secure login page But I think the point that someone else made is really important. Starting from a page that a layman can't visibly tell will be secure doesn't help the general public know what is safe and what's not. The end result of that ignorance ... which is promoted by this emerging login technique ... is it will make website spoofing and thus account credential theft easier in general. db Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived
Re: [CGUYS] Importance of secure login page
Another problem is I believe it's MS that is sponsoring a 'green bar' at the top of IE if the page is deemed secure. But what it really means is that MS has been paid well to put a green bar there. Many very secure websites, small business owners etc and those who don't want to be extorted by MS won't go with the green bar. So over time, some people will think only these sites are safe. Mike On 7/19/07, db <[EMAIL PROTECTED]> wrote: But I think the point that someone else made is really important. Starting from a page that a layman can't visibly tell will be secure doesn't help the general public know what is safe and what's not. The end result of that ignorance ... which is promoted by this emerging login technique ... is it will make website spoofing and thus account credential theft easier in general. db Mason Miller wrote: > The initial pages protocol(http vs. https) does not matter. It is the > method with which the data is sent to the server when the user hits > submit. As long as the form specifies an action that points to an > address that begins with https, your data is secure. Nothing is passed > in the clear when sending a request(or submitting a form) to a server > via SSL(https). > > Mason > > John DeCarlo wrote: >> On 7/19/07, Michael S. Altus <[EMAIL PROTECTED]> wrote: >>> >>> Should login pages be secured (https)? A bank has a login page that has >>> account holders log in with their user ID and password on an unsecured >>> (http) page. >>> This goes to a secure site (https). A bank staff person told me that >>> the >>> log >>> in page need not be secure. Is that correct? >>> >> >> It depends on what you are protecting against. >> >> Interestingly, in practice most sites have the login page as HTTPS. The >> reason is that with an HTTP login page, the user ID and password is >> being >> passed in the clear from your PC to the web site. So anyone looking at >> network traffic can get your username and password easily. >> >> Even GMail has an HTTPS login page and then sends you to regular HTTP >> for >> doing your email. The same is true for Yahoo mail and probably many >> other >> otherwise non-protected sites. >> >> I would think a financial institution would be more careful. All the >> financial institutions I use have the HTTPS login page as well as every >> other page. >> > > > > * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== > * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== > * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name > * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST > * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L > * New address? From OLD address send: CHANGE COMPUTERGUYS-L > YourNewAddress > * Need more help? Send mail to: [EMAIL PROTECTED] > > * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ > * RSS at > www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml > * Messages bearing the header "X-No-Archive: yes" will not be archived > > * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived ***
Re: [CGUYS] Importance of secure login page
But I think the point that someone else made is really important. Starting from a page that a layman can't visibly tell will be secure doesn't help the general public know what is safe and what's not. The end result of that ignorance ... which is promoted by this emerging login technique ... is it will make website spoofing and thus account credential theft easier in general. db Mason Miller wrote: The initial pages protocol(http vs. https) does not matter. It is the method with which the data is sent to the server when the user hits submit. As long as the form specifies an action that points to an address that begins with https, your data is secure. Nothing is passed in the clear when sending a request(or submitting a form) to a server via SSL(https). Mason John DeCarlo wrote: On 7/19/07, Michael S. Altus <[EMAIL PROTECTED]> wrote: Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct? It depends on what you are protecting against. Interestingly, in practice most sites have the login page as HTTPS. The reason is that with an HTTP login page, the user ID and password is being passed in the clear from your PC to the web site. So anyone looking at network traffic can get your username and password easily. Even GMail has an HTTPS login page and then sends you to regular HTTP for doing your email. The same is true for Yahoo mail and probably many other otherwise non-protected sites. I would think a financial institution would be more careful. All the financial institutions I use have the HTTPS login page as well as every other page. * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived
Re: [CGUYS] Importance of secure login page
The initial pages protocol(http vs. https) does not matter. It is the method with which the data is sent to the server when the user hits submit. As long as the form specifies an action that points to an address that begins with https, your data is secure. Nothing is passed in the clear when sending a request(or submitting a form) to a server via SSL(https). Mason John DeCarlo wrote: On 7/19/07, Michael S. Altus <[EMAIL PROTECTED]> wrote: Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct? It depends on what you are protecting against. Interestingly, in practice most sites have the login page as HTTPS. The reason is that with an HTTP login page, the user ID and password is being passed in the clear from your PC to the web site. So anyone looking at network traffic can get your username and password easily. Even GMail has an HTTPS login page and then sends you to regular HTTP for doing your email. The same is true for Yahoo mail and probably many other otherwise non-protected sites. I would think a financial institution would be more careful. All the financial institutions I use have the HTTPS login page as well as every other page. * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived
Re: [CGUYS] Importance of secure login page
I've been scouring security now podcasts for this info because I know it was touched on. Alas, no go on finding it. I do remember however that they had said that it is not uncommon for the front page to not show encryption, but it will be because the page the information is going to IS encrypted. http://blog.washingtonpost.com/securityfix/2005/08/bank_sites_still_driven_by_mar_1.html A washington post article with the same conclusion. I'll keep looking for the podcast because it did contain more detail about why this is the way it is. Mike On 7/19/07, Michael S. Altus <[EMAIL PROTECTED]> wrote: Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct? Thanks, Michael Michael S. Altus, PhD, ELS Intensive Care Communications, Inc.(r) Biomedical Writing and Editing Baltimore MD; [EMAIL PROTECTED] ** Get a sneak peek of the all-new AOL at http://discover.aol.com/memed/aolcom30tour * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived
Re: [CGUYS] Importance of secure login page
On 7/19/07, Michael S. Altus <[EMAIL PROTECTED]> wrote: Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct? It depends on what you are protecting against. Interestingly, in practice most sites have the login page as HTTPS. The reason is that with an HTTP login page, the user ID and password is being passed in the clear from your PC to the web site. So anyone looking at network traffic can get your username and password easily. Even GMail has an HTTPS login page and then sends you to regular HTTP for doing your email. The same is true for Yahoo mail and probably many other otherwise non-protected sites. I would think a financial institution would be more careful. All the financial institutions I use have the HTTPS login page as well as every other page. -- John DeCarlo, My Views Are My Own * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived
Re: [CGUYS] Importance of secure login page
Definitely should be https. Thank you, Mark Snyder -Original Message- Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct? * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived
Re: [CGUYS] Importance of secure login page
If you view the HTML, the form is probably being sent to the server running SSL. You will see something like: https://blah.blah.com";> other form stuff here... As long as the form data is being sent via SSL, all of your form data is secure. Mason Michael S. Altus wrote: Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct? Thanks, Michael Michael S. Altus, PhD, ELS Intensive Care Communications, Inc.® Biomedical Writing and Editing Baltimore MD; [EMAIL PROTECTED] ** Get a sneak peek of the all-new AOL at http://discover.aol.com/memed/aolcom30tour * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived
[CGUYS] Importance of secure login page
Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct? Thanks, Michael Michael S. Altus, PhD, ELS Intensive Care Communications, Inc.® Biomedical Writing and Editing Baltimore MD; [EMAIL PROTECTED] ** Get a sneak peek of the all-new AOL at http://discover.aol.com/memed/aolcom30tour * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived