once more, with feeling.

[Darren J Moffat]

Perry E. Metzger wrote:
> I was shocked that several people posted in response to Peter
> Gutmann's note about Wachovia, asking (I paraphrase):
> 
> "What is the problem here? Wachovia's front page is only http
> protected, but the login information is posted with https! Surely this
> is just fine, isn't it?"

[snip]

> (I won't be forwarding followups to this unless they are unusually
> interesting.)

Hopefully this is interesting enough to get forwarded on...

Sadly this practice is all too common, and often goes hand in hand with 
the other "cardinal sin" of https that of mixed http/https pages.

I believe the only way both of these highly dubious deployment practices 
will be stamped out is when the browsers stop allowing users to see such 
web pages. So that there becomes a directly attributable financial 
impact to the sites that deploy in that way.

As much as I like Firefox & Safari [ the only two browsers I use now ] 
this has to be led by Microsoft with Internet Explorer since that will 
have the biggest impact, given IE 8 is in beta this seems like a perfect 
opportunity to get this in as a change for the next version.

Warnings aren't enough in this context [ whey already exists ] the only 
thing that will work is stopping the page being seen - replacing it with 
a clearly worded explanation with *no* way to pass through and render 
the page (okay maybe with a debug build of the browser but not in the 
shipped product).


-- 
Darren J Moffat

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com