OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Non SSL Bank Login Forms

From: James Strassburg (JStrassburgdirects.com)
Date: Fri May 19 2006 - 12:05:19 CDT

This bothers me a great deal too. When my bank first did this I viewed
the page source to make sure that the post secure. This is not possible
for novice users. Where I work, we train employees on security and part
of that training involves teaching them to look for the SSL lock.
Afterwards, I usually get a few people asking about their bank's website
because there is no lock icon. It seems that more and more banks (and
other sites) want the login form on the start page but they don't want
SSL there.

It seems to me that the way browsers handle SSL notification is a bit
flawed. When visiting a page, I really don't care about how the page
I'm viewing arrived. I care about how the forms I type information into
are going to leave my machine. Instead of the SSL lock icon in
browsers, how about doing something similar for the form input boxes.
The browser could check the post action for a match to https://.* or
check the current connection if the protocol is not specified in the
action. The hard part would be manipulating the control in a way that a
malicious site (or XSS attack) couldn't also do so using javascript.

Perhaps the SSL icon could be accompanied by a warning message (like the
certificate warning) when there is any form on the page that will post
insecurely.

On a somewhat related topic, I'd also like a warning when I'm posting to
a different domain.

James Strassburg

-----Original Message-----
From: Andrew van der Stock [mailto:vanderajgreebo.net]
Sent: Friday, May 19, 2006 12:19 AM
To: wilson.amajohngmail.com; Webappsec ((((E-mail))))
Subject: Re: Non SSL Bank Login Forms

I work at a bank, and I find this frustrating as well.

It is not secure from a phishing perspective - it's how the phishers can
make their "password reset" forms look realistic as you have an implied
trust of the (possibly) real page underneath.

Having a SSL based page one level deep is a good security idea and I'm
terribly frustrated with banks that don't do that. Luckily, the place I
work does this... but for a bad reason. The use a pop up to hide the
address bar for no good reason. Luckily, IE 7 prevents this absolutely,
so I'm absolutely chuffed. Thank you Microsoft! You helped me win an
argument. :)

thanks,
Andrew

On 19/05/2006, at 12:57 AM, wilson.amajohngmail.com wrote:

> Hello all, my question is how can a form have a field that is secure
> without using SSL. From my web programming experience I cannot
> understand a Bank's claim that their login form is secure when there
> is no SSL used. "Signing on to secure sites from an unsecure page is
> a common industry practice" The POST data has to get to the server if

> SSL is not used how can they claim it is secure? I hope I have
> clarified my question enough
>
> Thanks
>
> John

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------