AmEx unprotected login site
Steven M. Bellovin
smb at cs.columbia.edu
Wed Jun 8 18:07:17 EDT 2005
In message <87acm0hd6a.fsf at snark.piermont.com>, "Perry E. Metzger" writes:
>
>Jerrold Leichter <jerrold.leichter at smarts.com> writes:
>> If you look at their site now, they *claim* to have fixed it: The login box
>
>> has a little lock symbol on it. Click on that, and you get a pop-up window
>> discussing the security of the page. It says that although the page itself
>> isn't protected, "your information is transmitted via a secure environment".
>>
>> No clue as to what exactly they are doing, hence if it really is secure.
>
>They're still doing the wrong thing. Unless the page was transmitted
>to you securely, you have no way to trust that your username and
>password are going to them and not to someone who cleverly sent you an
>altered version of the page.
>
They're doing the wrong thing, and probably feel they have no choice.
Setting up an SSL session is expensive; most people who go to their
home page do not log in, and hence do not (to Amex) require
cryptographic protection.
A few years ago, I talked with someone who was setting up a system that
really needed security. Given how few pages people would visit on the
site, though, he estimated that it would increase his costs by a factor
of about 15. (I didn't verify the numbers; I know from experience that
he's competent and has his hear in the right place re security).
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list