AmEx unprotected login site

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Jun 9 01:17:06 EDT 2005


"Perry E. Metzger" <perry at piermont.com> writes:
>"Steven M. Bellovin" <smb at cs.columbia.edu> writes:
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly sent you an
>>>altered version of the page.
>>
>> They're doing the wrong thing, and probably feel they have no choice.
>> Setting up an SSL session is expensive; most people who go to their
.> home page do not log in, and hence do not (to Amex) require
>> cryptographic protection.
>
>That's why Citibank and most well run bank sites have you click on a button
>on the front page to go to the login screen. There are ways to handle this
>correctly.

I was just going to mention this myself because I've noticed local banks doing
it, you click on some "log in for online banking" link and get to an HTTPS
login page that's distinct from the HTTP main page.  For Mozilla/Firefox
users, grab a copy of the TargetAlert extension and you'll see this on the
originating page, TargetAlert will tag the login link with the "opens in new
window" indicator and the "HTTPS" indicator (the usual yellow padlock).  When
you've got TargetAlert installed, go to e.g. http://www.asbbank.co.nz/ to see
this.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list