General discussion

Locked

Determine if SSL connections are truly secure

By debate ·
Does your organization's Web site properly implement SSL? How do you transmit sensitive information? Share your comments about properly implementing an SSL Web site, as discussed in the May 21 Security Solutions e-newsletter.

If you haven't subscribed to our free Security Solutions e-newsletter, sign up today!
http://nl.com.com/acct_mgmt.jsp?brand=techrepublic

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

SSL & more

by suarez_m In reply to Determine if SSL connecti ...

Only SSL don't assure any transaction. The sensitive information needs one secure data flow end-to-end. Further, the code must be secure. If we are using any code review tools as Webproxy (@stake), we can do something good. I like to know best practice about code scan tools or code review in several languages (c, c++, VB, ASP, PHP), static tools, dynamic tools.
Thanks,
Jesus Suarez

Collapse -

Question on example

by mshultz In reply to Determine if SSL connecti ...

In your example:

"Form page http://www.shop.com/form.html with a form tag of <form action=https://www.shop.com/cgi-bin/login.cgi method="get">: This securely transmits information to the form Web site."

Is it not true that HTTP headers are not encrypted, just the data? I could be wrong but if I'm right, that would mean that by sending the data via the GET method, it would be fully exposed.

Collapse -

Re: Question on example

by felipe_alfaro In reply to Question on example

You're right... Combining GET with HTTP/S is bad
business. Form data will get encoded into the URL, which
in turn, will get logged into the Web server log files. If the
Web server is compromised, the attacker can gather
sensitive data from the logs, rendering SSL/TLS transport
completely useless.

Of course, using POST with HTTP/S doesn't imply the
transaction is secure, as your confidential data could end
stored in unencrypted form in a database.

Collapse -

SSL Forms?

by felipe_alfaro In reply to Determine if SSL connecti ...

In the article:

* Form page http://www.shop.com/form.html
with a form tag of
<form action=https://www.shop.com/cgi-bin/login.cgi
method="get">:
This securely transmits information to the form Web site.

This is wrong! The form does transmit the information
securely to the remote server by using a SSL-protected
HTTP sessions. However, since we're using the HTTP
GET method, the form contents are sent directly encoded
into the URL itself. Since many Web servers log all
requests done by clients, if the form contains the VISA
card number, it will end in the URL itself, and will then get
logged onto the Web server logs, where an attacker can
gather it easily if the Web server is compromised.

Please, be very careful about what you say when
combining SSL forms with the GET method.

Back to Security Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums