Re: Bank login not using https

---

• From: "Hans Osterbrinck" <Soul_Patrol@xxxxxxx>
• Date: 18 Mar 2007 12:00:05 -0700

---

On 11 Mrz., 09:01, "BernieM" <bern...@xxxxxxxxxxxxxx> wrote:

"Barry Margolin" <bar...@xxxxxxxxxxxx> wrote in message

news:barmar-DEA40C.14214910032007@xxxxxxxxxxxxxxxxxxxxxxxxxxx

In article <1173501997.893541.233...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
"spasmous2" <spasm...@xxxxxxxxx> wrote:

I just started using a new bank, which has an online access page to
perform transactions etc. It is
http://www.orchardbank.com/ecare/loginform

I noticed it is not an https (secured) site but has a logo saying it
is SSL secured with verisign... whatever that means. Can anyone tell
me if I should be wary of using this login URL since it is not an
https site. After I signed up I immediately changed my login details/
security questions since these were all performed over an http
connection.

I am basically a novice about these things but "know" (ie. have been
told a lot!) that https is important.

Although the login page isn't downloaded with SSL, it DOES use SSL to
submit the form. It's kind of difficult to tell this from the source,
because it uses some contorted Javascript to perform the submission.
But just do a login and look at the location line in your browser and
you'll see that it changed to HTTPS.

--
Barry Margolin, bar...@xxxxxxxxxxxx
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Yes, I also tested that with a Wireshark capture. It immediately sends a
TCP SYN using HTTPS when you submit the form.

BernieM- Zitierten Text ausblenden -

- Zitierten Text anzeigen -

Nevertheless, it's bad practise to send the form itself over plain
HTTP use SSL only to protect the data itself:
First, unexperiences users get used to the fact that even "secure"
websites don't need to be SSL-protected.
Secondly, the website containing the form is not guaranteed to be
authentic. This simplifies phishing and spoofing attacks.

Just a remark ...

Regards!

.

---

• References:
  • Bank login not using https
    • From: spasmous2
  • Re: Bank login not using https
    • From: Barry Margolin
  • Re: Bank login not using https
    • From: BernieM

• Prev by Date: Re: Is that secure : <form action="https" from a local HTML page ?
• Next by Date: Laptop Security - harddisk encryption necessary?
• Previous by thread: Re: Bank login not using https
• Next by thread: Re: cygwin security in sensitive production
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Form Authentication (redirect to https) ... We do this same redirect on other websites without any problems, ... some reason on this one website, when we redirect to https, a windows login ... (microsoft.public.dotnet.framework.aspnet.security) Re: [PHP] Back to security ... Better off to do all of 1, 2, and 3 inside HTTPS. ... server before the rest of the request is decrypted. ... server once the login was successful. ... cannot grab the hash and use that, I have a random hash that is hashed ... (php.general) Re: SSL Sicherheit nur auf die Seite https =?iso-8859-1?Q?beschr=E4nkt=3F?= ... > Wenn ich mich bei Ebay anmelde, dann beginnt die Login seite mit https. ... Wenigstens ist das Login ... Next by Date: ... (microsoft.public.de.security.netzwerk.sicherheit) LOGIN INFO secure at wwww.americanexpress.CA? ... secure page which causes the lock symbol to be displayed in the status ... That is the difference which caused the login page ... even though the page itself is not https. ... of a lock in the login region. ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: Password Sites ... knows my Password & possably more since most r not HTTPS. ... To be of any use he still needs the login name & url. ... Non-https password entry? ... care what browser you use - it would be foolish to use the same ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)