[17431] in cryptography@c2.net mail archive
Re: AmEx unprotected login site
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Jun 9 09:51:04 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 09 Jun 2005 13:40:08 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: "Steven M. Bellovin" <smb@cs.columbia.edu>,
Jerrold Leichter <jerrold.leichter@smarts.com>,
Amir Herzberg <herzbea@macs.biu.ac.il>, cryptography@metzdowd.com
In-Reply-To: <8764woh2r2.fsf@snark.piermont.com>
Perry E. Metzger wrote:
> "Steven M. Bellovin" <smb@cs.columbia.edu> writes:
>
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly sent you an
>>>altered version of the page.
>>
>>They're doing the wrong thing, and probably feel they have no choice.
>>Setting up an SSL session is expensive; most people who go to their
>>home page do not log in, and hence do not (to Amex) require
>>cryptographic protection.
>
>
> That's why Citibank and most well run bank sites have you click on a
> button on the front page to go to the login screen. There are ways to
> handle this correctly.
Why is this better? The button you click can just as easily take you to
a site other than the one intended.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
