https is a joke. IF and WHEN it works properly, it’s too complex for the real world to understand (ahem…and even recognize). Encrypting everything as some are advocating is truly wasted effort that could be spent better on real security measures.
I disagree with all of that. If I were in charge of setting up an SSO, I’d be sending a X-Frame-Options: DENY header so it could never have gotten iframed into a non-SSL page, forcing users to be redirected to the actual login page. Then I’d include a Strict-Transport-Security header with a long expiry time so most users can’t even get to the SSO page any unencrypted way. Send the SSO cookies with secure and httponly flags. This is all pretty basic stuff that I’d expect any security team working for a large corporation to catch in the most basic audit.
Don’t make it up to the “real world” to understand or recognize, just force it on them, make it impossible to not use it, and your problem is solved.
But how does that solve the problem? If I mitm the outside page, I’m not going to embed the real login box. Yes, maybe it prevents such a thing from being deployed, but nicks point is that users aren’t looking to see where they are going. X frame and HSTS don’t prevent users from going to the wrong place.
And personally, I have to agree in a technical sense. If using https securely requires setting a half dozen headers because the defaults suck so bad, then it is a joke.
The defaults on the web always suck. The web is a box of collected junk we’ve found on the side of the road over the years. To truly fix it, it needs to be thrown away and designed fresh for the modern age.
But, then we need to fix (by replacing) TCP, DNS, SMTP, and all of these other protocols, too.
Let me tell you a story: I worked at a tech startup you almost certainly haven’t heard of and doesn’t have the same name anymore anyway. Someone introduced a system like this. Three separate people raised issues within 12 hours; the system was taken down, and redeployed with decent security within three days.
Certain organizational structures lead people to run insecure systems. At such organizations, any technical security measure will be ineffective. HTTPS is a perfectly adequate tool for security in the “real world”, but it can’t motivate people to secure their systems when their organization incentivizes the opposite.
For all the security-minded folks at OpenBSD, it’s amazing how many of them do their banking over unencrypted, plaintext HTTP.