[132747] in cryptography@c2.net mail archive
once more, with feeling.
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Sep 8 10:32:33 2008
To: cryptography@metzdowd.com
From: "Perry E. Metzger" <perry@piermont.com>
Date: Mon, 08 Sep 2008 10:31:26 -0400
I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):
"What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?"
I'm not going to explain why this is wrong. It should be obvious. If
it isn't obvious to you, you should try thinking like an attacker for
a few moments. If it still isn't obvious to you why this is very bad,
read the list archives.
(I won't be forwarding followups to this unless they are unusually
interesting.)
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
