Secure login system insecurity
Posted: Sun Jan 08, 2006 1:09 pm
Am I the only one that thinks it's pointless having a secure login system for a site if the login page process is the only part of it that's secured via https?
I mean, if I was sitting on a network with a packet sniffer reading your packets, I would be screwed out of knowing your login details, but if you were to go and check your balance for example, or read your highly sensitive e-mail for example, that information would be readily available to me if I went ahead and read those packets.
So I could not get that info myself, but I could simply let you get it for me, but I am limited to only what you see.
Is this an example of poor system design, or is this acceptable? And if it is acceptable, why?
I mean, if I was sitting on a network with a packet sniffer reading your packets, I would be screwed out of knowing your login details, but if you were to go and check your balance for example, or read your highly sensitive e-mail for example, that information would be readily available to me if I went ahead and read those packets.
So I could not get that info myself, but I could simply let you get it for me, but I am limited to only what you see.
Is this an example of poor system design, or is this acceptable? And if it is acceptable, why?