Am I the only one that thinks it's pointless having a secure login system for a site if the login page process is the only part of it that's secured via https?
I mean, if I was sitting on a network with a packet sniffer reading your packets, I would be screwed out of knowing your login details, but if you were to go and check your balance for example, or read your highly sensitive e-mail for example, that information would be readily available to me if I went ahead and read those packets.
So I could not get that info myself, but I could simply let you get it for me, but I am limited to only what you see.
Is this an example of poor system design, or is this acceptable? And if it is acceptable, why?
Secure login system insecurity
Moderator: General Moderators
Simple answer: it depends 
Let's take this board as example. I wouldn't really mind if you with you best friend "1337 Packet Sniffer" were reading this post as it was submitted. Nor would I if you were reading those threads I read. But I would feel really badly if you were posting using my account.
Thus here we have the case where secure login is sufficient.
Let's take this board as example. I wouldn't really mind if you with you best friend "1337 Packet Sniffer" were reading this post as it was submitted. Nor would I if you were reading those threads I read. But I would feel really badly if you were posting using my account.
Thus here we have the case where secure login is sufficient.
heh
Well, I really mean just in regards to a system where it's sensible and even required to use a secure login because of the information you securely view once logged in. Such as an e-mail account, auction site account, and etcetera.
I think just about all information that you could update on this site is publicly viewable (minus the password and various account configuration options).
So besides systems similar to this one, is it acceptable?
Well, I really mean just in regards to a system where it's sensible and even required to use a secure login because of the information you securely view once logged in. Such as an e-mail account, auction site account, and etcetera.
I think just about all information that you could update on this site is publicly viewable (minus the password and various account configuration options).
So besides systems similar to this one, is it acceptable?
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
I think a lot comes down to privacy.
Your password is private.
A forum post is not private.
A bank balance is private.
If its private then it should not be capable of being intercepted and read by other people.
By that rule, email, auction information, etc that is deemed personal private information should be accessed via https if possible. Often though that can come down to user choice - how many click the SSL option when logging into their email account?
Your password is private.
A forum post is not private.
A bank balance is private.
If its private then it should not be capable of being intercepted and read by other people.
By that rule, email, auction information, etc that is deemed personal private information should be accessed via https if possible. Often though that can come down to user choice - how many click the SSL option when logging into their email account?