On the topic of "Asking the drunk"...

Jerry Leichter leichter at lrw.com
Sat Jan 10 06:13:49 EST 2009


On Jan 9, 2009, at 6:49 AM, Peter Gutmann wrote:

> https://visa.com/
I get no response.  None at https://www.visa.com either.

On the other hand, the US-specific site, https://usa.visa.com,  
responds just fine - but it redirects you to http://usa.visa.com/index.html 
.  Try that same address with https, and it's accepted - but again  
redirected to the http version.

That one is at least in the Visa domain.  It gets a bit more complex  
for other regions - e.g., the Asian sites are accessible via https://www.visa-asia.com/ 
  - but that redirects to
http://www.visa-asia.com/ap/index.shtml - even though
https://www.visa-asia.com/ap/index.shtml actual works!

I'm guessing that Visa has country- (or perhaps region-)specific  
certs, which would make some sense - but the random mix of http and  
https addresses is pretty broken.

It's not clear there's anything at visa.com that's really in need of  
protecting, of course.  It's not a card issuer, its member banks are.   
Then again ... if you start from https://usa.visa.com and go to  
"Access Account Information", you are sent to a (non-SSL) page that  
claims to have links to the largest issuing banks - except that none  
of the "links" actually works - which I guess is appropriate, since  
you shouldn't be trusting them anyway!

A very strange set of sites....
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list