[thelist] should user account pages be SSL?

Lee Kowalkowski lee.kowalkowski at googlemail.com
Wed Feb 20 17:49:36 CST 2013


On 20 February 2013 20:26, Stuart Young <drstuey at gmail.com> wrote:

> I'm wondering what everyone thinks - should user account pages, (e.g. a
> registration page, or change password page) be secured.
>

Yes. Normally no user connection to your website is a direct link between
browser and site.  All the network nodes involved in a connection must be
considered untrusted.  Most of the underlying protocols enabling the
connection are open and unauthenticated.  So HTTPS is required to provide
privacy.

However, HTTPS is not the only thing you need, it mitigates vulnerabilities
related to snooping information in transit.

Snooping network traffic is ridiculously easy for plain HTTP, literally no
skill is required, just free tools and a connection to a network the
traffic passes through (e.g. public wi-fi).  Look how easy it is:
http://forum.xda-developers.com/showthread.php?t=1593990

Snooping HTTPS is also easy, but browsers display the resulting certificate
issue more prominently, to warn the user that there is a problem with the
site's certificate.

So an SSL connection is important, but doesn't provide any security at all
before or after the information is transmitted.


> Would you refuse to login to a site where the login form wasn't secure?
>

If it mattered.  Logging in to a game or forum where nothing is personally
identifiable?  Perhaps not.  But I'm unlikely to disclose any personal
information on that site either, not even my real name.


> Would you refuse to sign a e-petition that asked for your contact details
> if the form wasn't secure?
>

If the details I submit are going to be published, then HTTPS will probably
not be the deciding factor.

Or can you get away with only credit card form submissions being encrypted
> and not other forms?
>

Absolutely not!  All private information should be encrypted, web based
email, banking, shopping, and not just the login or payment pages, pages
that display the confidential information should be encrypted too.


> I've tried many different searches and all I can find is
>
https://www.thesslstore.com/blog/index.php/every-website-should-use-ssl-to-secure-user-information-why-ssland
> that is written by someone that sells SSL certificates so it could be
> biased.
>

Would advice from hackers be biased?
http://www.youtube.com/watch?v=6X5TwvGXHP0

--

Lee


More information about the thelist mailing list