More US bank silliness
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Sep 7 09:29:34 EDT 2008
In the ongoing comedy of errors that is US online banking "security" I've just
run into another one that's good for a giggle: Go to www.wachovia.com and,
without entering any credentials, click 'Login' on their unsecured logon page.
You get taken to an authenticated, SSL-secured... error message page. The
error message page gives you a chance to retry your logon, carefully
redirecting you back to the insecure logon page. So displaying a glorified
401 requires SSL, but obtaining user credentials doesn't.
(Insert standard moan about US banks here).
On a semi-related topic, it'd be interesting to get some discussion about FF3
removing the FF2 SSL indicators of the padlock and (more visibly) the
background colour-change for the URL bar when SSL is active and replacing it
with a spoof-friendly indicator that's part of the favicon, i.e. part of the
attacker-controlled content. The URL bar colouring was by far the most
visible security indicator that any web browser had, the giant leap backwards
of moving to a near-invisible blue border around the favicon does nothing to
indicate security and is trivially spoofed by putting a blue border around the
favicon. There's a bugzilla bug filed against it,
https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with inevitable dups,
e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=431495) but there's no
indication that the FF developers are interested in fixing it. From the
discussion thread on bugzilla it seems the reason is that only EV certs matter
so there's no point in paying much attention to non-EV certs.
(Again, roll standard music about EV certs benefitting no-one but the CAs
selling them).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list