AmEx unprotected login site (was encrypted tapes, was Re: Papersabout "Algorithm hiding" ?)

Ken Ballou ballou at crab.mv.com
Wed Jun 8 15:26:35 EDT 2005 

Jerrold Leichter wrote:
> | Perry makes a lot of good points, but then gives a wrong example re Amex site
> | (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL
> | Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
> | the few companies that actually responded seriously to my warning on this
> | matter. In fact, I think they are the _only_ company that responded seriously
> | - but failed to fix their site... I had an interesting discussion with their
> | security and web folks, and my conclusions are:
> | 
> | 1. These are serious people who understand technology and security
> | reasonably well. They are aware of many attacks, including much more
> | advanced spoofing attacks (that can foil even an expert user of a `regular`
> | browser - by regular I mean without improved security indicators like
> | provided by TrustBar).  Unfortunately, they use this awareness to justify to
> | themselves the lack of protection (`why should I put a lock when some people
> | know how to break it?`)....
> |
> | 4. Ultimately, what we have here is simply the `usability beats security`
> | rule...
> If you look at their site now, they *claim* to have fixed it:  The login box 
> has a little lock symbol on it.  Click on that, and you get a pop-up window 
> discussing the security of the page.  It says that although the page itself 
> isn't protected, "your information is transmitted via a secure environment".
> 
> No clue as to what exactly they are doing, hence if it really is secure.

Unless I misunderstand, the problem is that I can not determine where my
login information will go without examining the source of the login
page.  Sure, the form might be posted to a server using https.  But,
without examining the source of the login page, I won't be able to look
at the certificate for the site to which my credentials have been sent
until it's too late.

It's still the case that if I retrieve the original login form via
https, I have to examine the page source to see to which server the form
will be posted.  But I can examine the certificate of the site from
which I got the form originally to determine whether this is a phishing
attack.  If the login form itself can be shown to have come from an AmEx
server, I'm probably more comfortable trusting that my credentials are
going to the right server.

Do I completely misunderstand?

					- Ken

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list