encrypted tapes

[Ben Laurie]

Perry E. Metzger wrote:
> Ben Laurie <ben at algroup.co.uk> writes:
> 
>>Perry E. Metzger wrote:
>>
>>>Have a look, for example, at http://www.americanexpress.com/
>>>which encourages users to type in their credentials, in the clear,
>>>into a form that came from lord knows where and sends the information
>>>lord knows where. Spoof the site, and who would notice?
>>>Every company should be telling its users never to type in their
>>>credentials on a web page downloaded in the clear, but American
>>>Express and lots of other companies train their users to get raped,
>>>and why do they do it? Not because they made some high level decision
>>>to screw their users. Not because they can't afford to do things
>>>right. It happens because some idiot web designer thought it was a
>>>nice look, and their security people are too ignorant or too powerless
>>>to stop it, that's why.
>>
>>Why is it bad for the page to be downloaded clear? What matters is the
>>destination is encrypted, surely?
> 
> 
> Why is it a problem? Because the http post method you're relying on
> could have come from anyone -- you're just assuming that it posts to
> Amex's site.
> 
> How often do users hit ^U and read the source on the front page of a
> site like this? Never, for practical purposes. Unless you're looking
> at the code every time, you have no idea where your form data gets
> posted. It could be a server in Moldova instead of Manhattan.

Fair point. Of course, I knew because I did hit ^U - and followed
through to the page containing the javascript it ran!

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com