Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Should login pages be protected by SSL?
From: Derick Anderson (dandersonvikus.com)
Date: Tue Jun 21 2005 - 15:33:05 CDT
> I don't see how SSL-protecting the login form would protect
> you from MITM attacks if the form is submitting to a SSL
> protected page.
It really doesn't, unless the web application uses the same session ID
in the SSL session that it does on the unsecured page (if it in fact
begins a session before authentication).
> I am like you though. I think the login forms should be
> protected as well. If only because it helps users know what
> forms are and are not SSL-protected.
I agree as well though my opinion may not count for much. =) Most of the
sites I administer are all SSL, with a port 80 redirect to 443 on the
server. It's a performance hit to be sure, but there's never a question
about what part of my sites are secure.