[132758] in cryptography@c2.net mail archive
Re: once more, with feeling.
daemon@ATHENA.MIT.EDU (Darren J Moffat)
Mon Sep 8 12:47:44 2008
Date: Mon, 08 Sep 2008 16:16:46 +0100
From: Darren J Moffat <Darren.Moffat@Sun.COM>
In-reply-to: <87wshmk8u9.fsf@snark.cb.piermont.com>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: cryptography@metzdowd.com
Perry E. Metzger wrote:
> I was shocked that several people posted in response to Peter
> Gutmann's note about Wachovia, asking (I paraphrase):
>
> "What is the problem here? Wachovia's front page is only http
> protected, but the login information is posted with https! Surely this
> is just fine, isn't it?"
[snip]
> (I won't be forwarding followups to this unless they are unusually
> interesting.)
Hopefully this is interesting enough to get forwarded on...
Sadly this practice is all too common, and often goes hand in hand with
the other "cardinal sin" of https that of mixed http/https pages.
I believe the only way both of these highly dubious deployment practices
will be stamped out is when the browsers stop allowing users to see such
web pages. So that there becomes a directly attributable financial
impact to the sites that deploy in that way.
As much as I like Firefox & Safari [ the only two browsers I use now ]
this has to be led by Microsoft with Internet Explorer since that will
have the biggest impact, given IE 8 is in beta this seems like a perfect
opportunity to get this in as a change for the next version.
Warnings aren't enough in this context [ whey already exists ] the only
thing that will work is stopping the page being seen - replacing it with
a clearly worded explanation with *no* way to pass through and render
the page (okay maybe with a debug build of the browser but not in the
shipped product).
--
Darren J Moffat
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
