AmEx unprotected login site
Ben Laurie
ben at algroup.co.uk
Thu Jun 9 08:40:08 EDT 2005
Perry E. Metzger wrote:
> "Steven M. Bellovin" <smb at cs.columbia.edu> writes:
>
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly sent you an
>>>altered version of the page.
>>
>>They're doing the wrong thing, and probably feel they have no choice.
>>Setting up an SSL session is expensive; most people who go to their
>>home page do not log in, and hence do not (to Amex) require
>>cryptographic protection.
>
>
> That's why Citibank and most well run bank sites have you click on a
> button on the front page to go to the login screen. There are ways to
> handle this correctly.
Why is this better? The button you click can just as easily take you to
a site other than the one intended.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list