AmEx unprotected login site
Perry E. Metzger
perry at piermont.com
Wed Jun 8 19:01:37 EDT 2005
"Steven M. Bellovin" <smb at cs.columbia.edu> writes:
>>They're still doing the wrong thing. Unless the page was transmitted
>>to you securely, you have no way to trust that your username and
>>password are going to them and not to someone who cleverly sent you an
>>altered version of the page.
>
> They're doing the wrong thing, and probably feel they have no choice.
> Setting up an SSL session is expensive; most people who go to their
> home page do not log in, and hence do not (to Amex) require
> cryptographic protection.
That's why Citibank and most well run bank sites have you click on a
button on the front page to go to the login screen. There are ways to
handle this correctly.
The other major offender are organizations (such as portions of
Verizon) that subcontract payment systems to third parties. They are
training their users to expect to be directed to a site they don't
recognize to enter in their credit card information. "Really! This is
your vendor's payment site! Pay no attention to the URL and
certificate!"
That one in particular takes amazing brains...
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list