Re: [Full-Disclosure] http://www.chase.com/ vulnerability
From: Perry E. Metzger (perry_at_piermont.com)
Date: 05/28/04
- Previous message: Jim Bauer: "[Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)"
- Maybe in reply to: Perry E. Metzger: "[Full-Disclosure] http://www.chase.com/ vulnerability"
- Next in thread: Brandon: "RE: [Full-Disclosure] http://www.chase.com/ vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <gauntlet@nym.hush.com> Date: Fri, 28 May 2004 15:30:17 -0400
<gauntlet@nym.hush.com> writes:
> Many financial institutions do the same thing.
>
> www.americanexpress.com:
>
> Security is important to everyone!
>
> Please be assured that, although the home page itself does not have an
> "https" URL, the login component of this page is secure. When you enter your
> User ID and password, your information is transmitted via a secure
> environment,
Except you have no way to know that without reading the html, since
someone could have intercepted and altered the form. Given how many
people can or will read the html, the assurances are completely false
and essentially constitute a way of training their customers to have
their accounts taken over in the future.
-- Perry E. Metzger perry@piermont.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Jim Bauer: "[Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)"
- Maybe in reply to: Perry E. Metzger: "[Full-Disclosure] http://www.chase.com/ vulnerability"
- Next in thread: Brandon: "RE: [Full-Disclosure] http://www.chase.com/ vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
