AmEx unprotected login site
Perry E. Metzger
perry at piermont.com
Thu Jun 9 09:28:49 EDT 2005
Ben Laurie <ben at algroup.co.uk> writes:
> Perry E. Metzger wrote:
>> "Steven M. Bellovin" <smb at cs.columbia.edu> writes:
>>
>>>>They're still doing the wrong thing. Unless the page was transmitted
>>>>to you securely, you have no way to trust that your username and
>>>>password are going to them and not to someone who cleverly sent you an
>>>>altered version of the page.
>>>
>>> They're doing the wrong thing, and probably feel they have no
>>> choice. Setting up an SSL session is expensive; most people who go
>>> to their home page do not log in, and hence do not (to Amex)
>>> require cryptographic protection.
>> That's why Citibank and most well run bank sites have you click on a
>> button on the front page to go to the login screen. There are ways to
>> handle this correctly.
>
> Why is this better? The button you click can just as easily take you
> to a site other than the one intended.
When I go to the SSL protected page, I can look at the URL and the
lock icon in the corner before typing in my password. When you type in
your password BEFORE the SSL connection, by the time you realize that
it went to the wrong place, it is way too late.
I admit that not everyone will check the URL and the lock icon, but at
least it is *possible* to train people to do the right thing on
that. There is no way, effectively, to train people to be safe given
the way that Amex is set up.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list