[17403] in cryptography@c2.net mail archive
Re: AmEx unprotected login site (was encrypted tapes, was Re:
daemon@ATHENA.MIT.EDU (Jerrold Leichter)
Wed Jun 8 15:18:39 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 8 Jun 2005 14:25:20 -0400 (EDT)
From: Jerrold Leichter <jerrold.leichter@smarts.com>
To: Amir Herzberg <herzbea@macs.biu.ac.il>
Cc: "Perry E. Metzger" <perry@piermont.com>,
Ian G <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <42A699A7.7030608@macs.biu.ac.il>
| Perry makes a lot of good points, but then gives a wrong example re Amex site
| (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL
| Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
| the few companies that actually responded seriously to my warning on this
| matter. In fact, I think they are the _only_ company that responded seriously
| - but failed to fix their site... I had an interesting discussion with their
| security and web folks, and my conclusions are:
|
| 1. These are serious people who understand technology and security
| reasonably well. They are aware of many attacks, including much more
| advanced spoofing attacks (that can foil even an expert user of a `regular`
| browser - by regular I mean without improved security indicators like
| provided by TrustBar). Unfortunately, they use this awareness to justify to
| themselves the lack of protection (`why should I put a lock when some people
| know how to break it?`)....
|
| 4. Ultimately, what we have here is simply the `usability beats security`
| rule...
If you look at their site now, they *claim* to have fixed it: The login box
has a little lock symbol on it. Click on that, and you get a pop-up window
discussing the security of the page. It says that although the page itself
isn't protected, "your information is transmitted via a secure environment".
No clue as to what exactly they are doing, hence if it really is secure.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
