Re: Bank Of America - sign on process - how is this secure?

From: Barry Margolin (barmar@genuity.net)
Date: 11/26/02 

From: Barry Margolin <barmar@genuity.net>
Date: Mon, 25 Nov 2002 23:55:17 GMT

In article <m1smxpdz9p.gnus@usa.net>,
those who know me have no need of my name <not-a-real-address@usa.net> wrote:
>the form submission (aka, login) is totally secure. it's the lock / safety
>indicator that is incorrect or misleading, at least it is in all the
>browsers which i've seen, including mozilla and msie.

As long as the padlock is associated with the entire window, rather than
being overlaid over each Submit button, it's not really possible for it to
be correct in situations like this. After all, a page with multiple forms
on it could submit some of them with HTTPS and others with HTTP, so there's
no single secureness attribute for the entire page.

I think most browsers will warn you if a page was loaded securely and you
click on a submit button that uses a non-secure submission method (although
there may be a Preferences option to disable this warning). Web site
designers usually cater to this type of behavior by providing a secure
signon page that loads with SSL, so that the padlock will appear and the
user would be warned if it didn't submit securely. 

-- 
Barry Margolin, barmar@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.