Re: Bank Of America - sign on process - how is this secure?
From: Henrick Hellström (henrick.hellstrm@telia.com)
Date: 11/27/02
- Next message: Jim Grimmett: "Re: netbios"
- Previous message: Nick Hilliard: "Re: constant pinging"
- In reply to: those who know me have no need of my name: "Re: Bank Of America - sign on process - how is this secure?"
- Next in thread: Barry Margolin: "Re: Bank Of America - sign on process - how is this secure?"
- Reply: Barry Margolin: "Re: Bank Of America - sign on process - how is this secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Henrick Hellström <henrick.hellstrm@telia.com> Date: Wed, 27 Nov 2002 13:14:41 GMT
those who know me have no need of my name wrote:
> in comp.security.misc i read:
>
>
>>I don't think it is idiotic to transmit the entire login page via ssl.
>>
>>Sure, the login form doesn't have to be kept *confidential* like the
>>login password has to, but there is some point in keeping the login
>>page *authenticated* so that the user doesn't have to look at the html
>>source to make sure where the password will be sent.
>
>
> it gives people a false sense of security. a `secure page', one which will
> show the lock symbol, can have an unprotected action url, i.e., http rather
> than https, yet that symbol fakes people into thinking they are safe. (a
Do you mean that the converse might be the case, i.e. that the login
page is a https page displayed with a pad lock, while the user password
is sent unencrypted to a http URL?
I don't think that is likely to be an issue when it comes to internet
banking. What you describe would make the bank liable for any damages
caused by stolen passwords and user identities. It's in the best
interest of the bank not to publish such login pages at their site. The
user might rely on the fact that the login form is authentic (because of
the pad lock) and that the bank is responsible for whatever it does.
> few browsers will degrade their lock symbol as a result of this, which is
> good, but in the general case it is not true.) and there will likely be no
> other warning, because people have, by and large, disabled the notification
> of unencrypted transmission, due in large part to the insecure login pages
> for everything else they use and which they are required to accept.
>
- Next message: Jim Grimmett: "Re: netbios"
- Previous message: Nick Hilliard: "Re: constant pinging"
- In reply to: those who know me have no need of my name: "Re: Bank Of America - sign on process - how is this secure?"
- Next in thread: Barry Margolin: "Re: Bank Of America - sign on process - how is this secure?"
- Reply: Barry Margolin: "Re: Bank Of America - sign on process - how is this secure?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
