Re: Bank Of America - sign on process - how is this secure?

From: Barry Margolin (barmar@genuity.net)
Date: 11/25/02 

From: Barry Margolin <barmar@genuity.net>
Date: Mon, 25 Nov 2002 16:23:29 GMT

In article <1038240162.74993.0@iapetus.uk.clara.net>,
Lloydi <nuggiepost.20.lloydi@spamgourmet.com> wrote:
>On Bank of America's site they have a sign in box to their online banking on
>the home page.
>
>http://www.bankofamerica.com/index.cfm
>
>I want to know, how is this secure? This would surely mean that the
>informattion typed in to the Online ID and passcode fields are not encrypted
>by 128 bit SSL when they are sent to the https page. Normally, you have to
>click through to https hosted page and THEN sign on from there, safe in the
>knowledge that the details are encrypted properly.

No, all this means is that the form was sent to you in non-encrypted form.
Whether the information you enter is encrypted depends on the URL that's
used when you click the Submit button. I looked at the source of the page,
and found this:

<form name="frmSignIn"
      action="https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?noscript=true"
      method="post"
      onSubmit="doSignIn(); return false;"
      autocomplete="OFF">

The URL in the action= parameter specifies how the form data is submitted,
and it uses HTTPS, not HTTP, so it's encrypted. 

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.