Re: Bank login not using https

---

• From: "BernieM" <berniem@xxxxxxxxxxxxxx>
• Date: Sun, 11 Mar 2007 18:01:12 +1000

---

"Barry Margolin" <barmar@xxxxxxxxxxxx> wrote in message
news:barmar-DEA40C.14214910032007@xxxxxxxxxxxxxxxxxxxxxxxxxxx

In article <1173501997.893541.233390@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"spasmous2" <spasmous@xxxxxxxxx> wrote:

I just started using a new bank, which has an online access page to
perform transactions etc. It is
http://www.orchardbank.com/ecare/loginform

I noticed it is not an https (secured) site but has a logo saying it
is SSL secured with verisign... whatever that means. Can anyone tell
me if I should be wary of using this login URL since it is not an
https site. After I signed up I immediately changed my login details/
security questions since these were all performed over an http
connection.

I am basically a novice about these things but "know" (ie. have been
told a lot!) that https is important.

Although the login page isn't downloaded with SSL, it DOES use SSL to
submit the form. It's kind of difficult to tell this from the source,
because it uses some contorted Javascript to perform the submission.
But just do a login and look at the location line in your browser and
you'll see that it changed to HTTPS.

--
Barry Margolin, barmar@xxxxxxxxxxxx
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Yes, I also tested that with a Wireshark capture. It immediately sends a
TCP SYN using HTTPS when you submit the form.

BernieM


.

---

• Follow-Ups:
  • Re: Bank login not using https
    • From: Hans Osterbrinck

• References:
  • Bank login not using https
    • From: spasmous2
  • Re: Bank login not using https
    • From: Barry Margolin

• Prev by Date: Re: Host File Question
• Next by Date: Re: cygwin security in sensitive production
• Previous by thread: Re: Bank login not using https
• Next by thread: Re: Bank login not using https
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: ISA 2006 and SSL ... same user can access the site in question by creating an SSL-Tunnel and is ... Microsoft Online Partner Support ... | Subject: RE: ISA 2006 and SSL ... | | rule to allow HTTPS to local host, instead of all http and https ... (microsoft.public.isa) Re: Cannot Access Includes Above Current Directory if using SSL ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ... (php.general) Cannot Access Includes Above Current Directory if using SSL ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ... (php.general) Cannot Access Includes Above Current Directory if using SSL ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ... (php.general) RE: ISA 2006 and SSL ... Authentication in ISA Server 2006 ... Microsoft Online Partner Support ... | Subject: RE: ISA 2006 and SSL ... | | rule to allow HTTPS to local host, instead of all http and https ... (microsoft.public.isa)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2007-03