[17404] in cryptography@c2.net mail archive
Re: AmEx unprotected login site
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Jun 8 15:20:05 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: Jerrold Leichter <jerrold.leichter@smarts.com>
Cc: Amir Herzberg <herzbea@macs.biu.ac.il>, cryptography@metzdowd.com
From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 08 Jun 2005 15:16:29 -0400
In-Reply-To: <Pine.SOL.4.61.0506081126070.11616@frame> (Jerrold Leichter's
message of "Wed, 8 Jun 2005 14:25:20 -0400 (EDT)")
Jerrold Leichter <jerrold.leichter@smarts.com> writes:
> If you look at their site now, they *claim* to have fixed it: The login box
> has a little lock symbol on it. Click on that, and you get a pop-up window
> discussing the security of the page. It says that although the page itself
> isn't protected, "your information is transmitted via a secure environment".
>
> No clue as to what exactly they are doing, hence if it really is secure.
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of the page.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
