Re: Bank Of America - sign on process - how is this secure?

From: those who know me have no need of my name (not-a-real-address@usa.net)
Date: 11/26/02 

From: those who know me have no need of my name <not-a-real-address@usa.net>
Date: 25 Nov 2002 23:26:55 GMT

[fu-t set -- this is off-topic in most of the groups named]

in comp.security.misc i read:
>Lloydi <nuggiepost.20.lloydi@spamgourmet.com> randomly produced:

>> On Bank of America's site they have a sign in box to their online
>> banking on the home page.
>>
>> http://www.bankofamerica.com/index.cfm

>> Is this secure?

>It's not secure, simple as that, you are correct.

the form submission (aka, login) is totally secure. it's the lock / safety
indicator that is incorrect or misleading, at least it is in all the
browsers which i've seen, including mozilla and msie. most web sites cater
to the idiocy (by serving the entire login page via ssl), some don't.

bofa used to make you link through several pages to reach the login page,
which you can still do if you like, start at
<http://www.bankofamerica.com/state.cgi?section=signin>. 

-- 
bringing you boring signatures for 17 years

Relevant Pages

  • Re: Is .NET Passport credential traffic secure?
    ... my point is that you must FIRST establish a secure connection to ... user instead of making the login page itself secured with SSL so the ... The "Sign In" page at eBay submits the form data ... HTTPS site: Allowing the site to generate the HTML content in the page ...
    (microsoft.public.security)
  • Re: Ace Password Sniffer : How does it work ?
    ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ...
    (microsoft.public.security)
  • LOGIN INFO secure at wwww.americanexpress.CA?
    ... secure page which causes the lock symbol to be displayed in the status ... That is the difference which caused the login page ... even though the page itself is not https. ... of a lock in the login region. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: How do I protect my login page from prying eyes (forms authentication)?
    ... Sure, do this if you want to, but I'd rather devote time and energy to making my site secure even if someone discovers the "protected" site. ... Once it's out in the open (and if it's believed the contents are high valued, and people suspect that you've hidden the login page as a security measure), you may be *more* likely to be attacked. ... This means that when the site owner prints an invoice, the URL of this page will be shown in the footer. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: How to get rid of "You are about to leave a secure internet" msg
    ... "Warn if changing between secure and not secure mode." ... We use a feature of Citrix called anonymous logins whereby the user does ... The reason being since we use anonymous accounts to login to our citrix ... any settings are lost as well... ...
    (microsoft.public.windows.inetexplorer.ie6.browser)