encrypted tapes (was Re: Papers about "Algorithm hiding" ?)
Ben Laurie
ben at algroup.co.uk
Wed Jun 8 07:19:00 EDT 2005
Perry E. Metzger wrote:
> Have a look, for example, at
>
> http://www.americanexpress.com/
>
> which encourages users to type in their credentials, in the clear,
> into a form that came from lord knows where and sends the information
> lord knows where. Spoof the site, and who would notice?
>
> Every company should be telling its users never to type in their
> credentials on a web page downloaded in the clear, but American
> Express and lots of other companies train their users to get raped,
> and why do they do it? Not because they made some high level decision
> to screw their users. Not because they can't afford to do things
> right. It happens because some idiot web designer thought it was a
> nice look, and their security people are too ignorant or too powerless
> to stop it, that's why.
Why is it bad for the page to be downloaded clear? What matters is the
destination is encrypted, surely?
Which, as it happens, it is on the above site.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list