Re: Banks Abandoning SSL On Home Page Log-Ins in Security http://www.dslreports.com/forum/r14211878 en Thu, 21 Aug 2008 04:37:03 EDT Thu, 21 Aug 2008 04:37:03 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14223123 zoom314 : I didn't read through the whole thread, But Washington Mutual Bank has a very Secure Homepage. How secure is It? Simple You have to enter Your username and password everytime You visit and the webpage won't allow the Browser to save either one and If You back back out using the backspace key or the Back arrows You have to renter both to get back in.:) Not bad for just a Free checking account.
--
Firefox forever!
»zoom314.blogspot.com/
»mysite.verizon.net/zoom314/]]> http://www.dslreports.com/forum/remark,14223123 Fri, 26 Aug 2005 01:05:18 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14222865 Mele20 : How is this a "GOOD thing"? Just because you think it is? Could you please state the reasons why you think this a good thing? I think it is a very BAD thing because users are taught to look for "https" and for the lock icon before entering sensitive information. So, how is having these indicators missing a "good" thing? Users are just supposed to "trust" that the site will encrypt the sensitive information when sent? Only a birdbrain would give that sort of trust to a website. If I can't login on a secure login page at my bank then I won't be using their website and, in the case of credit cards, I will be cancelling and getting ones from banks that still have a secure login page.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,14222865 Fri, 26 Aug 2005 00:19:37 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14222768 mallyman : so they don't encrypt the page BEFORE the login... uh... no biggy....

people, read about this stuff and learn it before you respond with the rants...

its been done or years on other 'security' sites where the content of the page does not have anything that needs encryption...

its a GOOD thing]]> http://www.dslreports.com/forum/remark,14222768 Fri, 26 Aug 2005 00:03:19 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14222374 alanhdsl : Apart from the pictures, Bank of America's new Sitekey system does redirect you to a https page before you enter anything.

The idea behind it is that it reduces phishing by showing you an image and phrase you set. The other side is that when you log in the first time from a PC (no cookie), it asks you an extra question beyond your PIN.

I have heard SSL likened to making a delivery in an armored car to a cardboard box. :) There have been lots of breakins on the server side, but are there any actual cases of accounts being swiped from sniffing non-SSL packets?]]> http://www.dslreports.com/forum/remark,14222374 Thu, 25 Aug 2005 22:58:00 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14220455 Mele20 :
said by Brisk See Profile :

With some banks like Key and Chase/Bank1One you can substitute HTTP:// for HTTPS:// and there you have it, a secure connection from the start.
Why would you do that? Chase has a secure login page.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,14220455 Thu, 25 Aug 2005 18:54:13 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218931 Daniel :
said by nil See Profile :

said by Martinus See Profile :

I'd say it's more about usability and providing the users with a clear picture of where they are and what's the security offered.
You do realize that what the Login page offers isn't the same as offering security or lack thereof on the actual login process? Don't confuse the two..
But that's the thing...the actual security being offered isn't the point -- it's the fact that that it can't be tested before it goes into effect. And that's what every user has been trained to do -- to make sure before entering their credentials. Again, it's a user training/perception issue.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14218931 Thu, 25 Aug 2005 15:37:13 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218767 haertig : I usually give three "rules" to non-technical friends and family:

(1) Never open any email attachment (pretty strict!)
(2) Never respond to any email telling you "your account needs to be updated"
(3) Never enter sensitive information into any website if you don't know for sure where you are, and also see the padlock icon
(4) If you find yourself unexpectedly at some login page:
(4a) Test first with a bogus login and password (it better not let you in!)
-or-
(4b) Ignore the redirect to the login page (do not enter any information). Instead, access the login page manually from a bookmark that you have saved and know is good.

Technically, this level of paranoia is not required. But we're not talking technical people, now are we?!

I personally think the banks doing away with homepage SSL are making a mistake. Not technically, but socially ... considering the typical non-technical customer.]]> http://www.dslreports.com/forum/remark,14218767 Thu, 25 Aug 2005 15:15:24 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218349 Brisk : With some banks like Key and Chase/Bank1One you can substitute HTTP:// for HTTPS:// and there you have it, a secure connection from the start.
--
Qwest DSL - Lag and get Fragged.™]]> http://www.dslreports.com/forum/remark,14218349 Thu, 25 Aug 2005 14:20:29 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218197 OZO :
said by nil See Profile :

You do realize that what the Login page offers isn't the same as offering security or lack thereof on the actual login process? Don't confuse the two..
Sorry, but for many users it's the same. They make their important jujment (is it secure to put username/password here or not) based on lookin on padlock and/or "https".
[rant] Is it so difficult to make a separate and very simple login page for some banks? What's the big deal? Especially if it's important for their customers.[/rant]
--
Keep it simple, it'll become complex by itself...]]> http://www.dslreports.com/forum/remark,14218197 Thu, 25 Aug 2005 14:01:38 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218188 Rexter :
said by mrg123 See Profile :

I sent an email to my bank (a small credit union) complaining about this.
Good job man. You don't have to rant to them, just let them know. While this does not affect more security conscious people like myself, directly, I'm going to do the same.
--
When all is said, and done, there will be more said than done.]]> http://www.dslreports.com/forum/remark,14218188 Thu, 25 Aug 2005 13:59:46 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218136 mrg123 : In light of the recent DNS poisoning attacks, this is a really stupid move by the banks.

If my ISP's DNS server gets hacked, then I could enter the correct URL for my bank on my virus-free computer.

My computer would then faithfully load a malicious page that looks exactly like my bank's. Of course, I won't see the padlock but my bank doesn't bother with that anyway. I enter my login and password, which are then transmitted in the clear to some criminal's server.

Again, this will happen even though my bank's server is secure and my own PC is secure.

I sent an email to my bank (a small credit union) complaining about this. They did not respond. At least they do have a link from the main page that takes you to an SSL-secured separate login page, but I suspect that most customers login from the main page.]]> http://www.dslreports.com/forum/remark,14218136 Thu, 25 Aug 2005 13:52:44 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218132 Rexter : You're referring to a non encrypted page that loads an encrypted frame. I'm talking about an encrypted frame that loads the rest of the non encrypted page. Yea, I really said it backwards. Lets say the URL is https, but that address only contains 1 small frame, on the page, that loads the rest of the non encrypted page.

I must admit that I still wouldn't like it. I wouldn't be able to tell, at a glance, if the frame, where my username and password is going, is encrypted or not. But this would appease Steves' so called "ignorant people."
--
When all is said, and done, there will be more said than done.]]> http://www.dslreports.com/forum/remark,14218132 Thu, 25 Aug 2005 13:52:07 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218097 B :
Huh? nil, that's the whole darned point! They are easily and frequently confused the MAJORITY of the time, and for darned good reason.

The essence of the web is presentation; suddenly we shouldn't care how the security of a site is presented?

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14218097 Thu, 25 Aug 2005 13:47:32 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218061 nil :
said by Martinus See Profile :

I'd say it's more about usability and providing the users with a clear picture of where they are and what's the security offered.
You do realize that what the Login page offers isn't the same as offering security or lack thereof on the actual login process? Don't confuse the two..
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,14218061 Thu, 25 Aug 2005 13:43:54 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14218020 Martinus :
said by Steve See Profile :

It's a value judgment whether one ought to provide the warm-and-fuzzy feeling that an SSL-based login page provides...
I'd say it's more about usability and providing the users with a clear picture of where they are and what's the security offered.

The problem here is that you are mixing up the roles of the web storyboard designers and the programmers. It's not the "security experts" or programmers' fault that users don't get the "warm-and-fuzzy feeling" which, of course, they are entitled to. As a "security expert" or programmer you don't have to think about warm-fuzzy feelings. That's for designers.

It's just sloppy design. C'mon. Putting two login fields in your not SSL enabled front page - for saving CPU cycles - is more expensive - more HTML code, JS validations, etc - than placing a "Click here for secure login" button.
--
From the GSV "Ethics Gradient"]]> http://www.dslreports.com/forum/remark,14218020 Thu, 25 Aug 2005 13:38:57 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217978 B :
said by Daniel See Profile :

said by Steve See Profile :

But when the justification is "What if you're on a compromised machine?", it demonstrates that not everybody in this discussion really has even a basic grasp of computer security.
Well, yeah, that's a completely separate argument. We're discussing the login thing specifically here (I thought).
Dude, contrarian curmudgeons don't have to be consistent or even fair. It's part of their charm. Low hanging fruit's fair game. :)

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14217978 Thu, 25 Aug 2005 13:32:51 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217977 Steve :
said by Daniel See Profile :

We're discussing the login thing specifically here (I thought).
said by somebody else in this thread :

Imagine this: your computer has been compromised and you don't know about it. One day you go to your banks website and it looks the same but it's actually some hacker's web page. ...
When one uses a foolish argument to justify a position, they lose the right to be taken seriously (though it doesn't necessarily undermine the other justifications).

Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site]]> http://www.dslreports.com/forum/remark,14217977 Thu, 25 Aug 2005 13:32:49 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217952 jefe :
said by astirusty See Profile :

said by Steve See Profile :

People who don't really understand security are in a poor position to direct the security practices of others.

Steve
Like wise; "security experts" who do not realize the limited computer knowledge of average users - are also in a poor position to direct security practices. ;)
Touchè! Exactly.

Expecting an average user to assume that a bank's login info is sent via secure link, or to dig through pages of html to assure that it is, is techno elitism and shear folly.]]> http://www.dslreports.com/forum/remark,14217952 Thu, 25 Aug 2005 13:28:50 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217945 Daniel :
said by Steve See Profile :

But when the justification is "What if you're on a compromised machine?", it demonstrates that not everybody in this discussion really has even a basic grasp of computer security.
Well, yeah, that's a completely separate argument. We're discussing the login thing specifically here (I thought).
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14217945 Thu, 25 Aug 2005 13:27:59 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217919 Steve :
said by Daniel See Profile :

I think Steve's comments are being taken out of context. I find it hard to believe that he doesn't grasp the issues we're discussing here.
It's a value judgment whether one ought to provide the warm-and-fuzzy feeling that an SSL-based login page provides, and I could really go either way on this, and those supporting it have a legimate point.

But when the justification is "What if you're on a compromised machine?", it demonstrates that not everybody in this discussion really has even a basic grasp of computer security.

Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site]]> http://www.dslreports.com/forum/remark,14217919 Thu, 25 Aug 2005 13:24:42 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217893 B :
said by Daniel See Profile :

I think Steve's comments are being taken out of context. I find it hard to believe that he doesn't grasp the issues we're discussing here.
Well, he's always got that John "C." Dvorak contrarian curmudgeon thing going on. I think he enjoys it.

:)

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14217893 Thu, 25 Aug 2005 13:21:11 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217861 Daniel : I think Steve's comments are being taken out of context. I find it hard to believe that he doesn't grasp the issues we're discussing here.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14217861 Thu, 25 Aug 2005 13:16:14 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217735 harryhoudini : My credit union is also planning on doing this sometime this year. I was also sceptical but that is because I did not understand how it works.

I need to fully understand since I am sure I will have to deal with the concerned calls of novest and "self proclaimed" experts as well.]]> http://www.dslreports.com/forum/remark,14217735 Thu, 25 Aug 2005 13:02:12 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217632 astirusty :
said by Steve See Profile :

People who don't really understand security are in a poor position to direct the security practices of others.

Steve
Like wise; "security experts" who do not realize the limited computer knowledge of average users - are also in a poor position to direct security practices. ;)]]> http://www.dslreports.com/forum/remark,14217632 Thu, 25 Aug 2005 12:51:15 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217568 David : Well, U.S. Bank still does... here is the certificate to prove it.
]]> http://www.dslreports.com/forum/remark,14217568 Thu, 25 Aug 2005 12:40:23 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217475 Just Basics : BB&T has what I consider to de a well designed website that I am comfortable with. Pages that are easily accessed with acceptable load times and secure where they are expected to be. Sites like this are a blessing for those of us still on dial up.

»www.bbandt.com]]> http://www.dslreports.com/forum/remark,14217475 Thu, 25 Aug 2005 12:28:11 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14217217 redwolfe_98 : i have considered that the whole system was being setup to facilitate crime.. ]]> http://www.dslreports.com/forum/remark,14217217 Thu, 25 Aug 2005 11:50:53 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14216965 B :
said by Daniel See Profile :

They did it so that 1) the login fields could be on the front page, and 2) so that that page didn't have to be encrypted -- since it's harder on the webserver to encrypt the front page for every single visit.
I find it amusing that Steve's position, at least, seems to be that the IT professionals know best and that "ignorant" consumers should leave web site security in their hands, but that all the changes we're discussing were clearly driven entirely by the marketing department and bean counters.

In other words, if the webmasters were ordered to omit SSL entirely from the login transaction in order to save even more precious CPU cycles and make room for even Flashier home page portals, they'd go right ahead and do that too.

-- B

P.S. Again, I agree that encrypting the home page would be stupid. (Edit: Let me amend that; it would actually be a nice touch to say that all communications with your bank site were secured, but it's not prudent to do it for home page and public data display.) But then enabling login from the home page is completely unnecessary, even from a marketing standpoint.
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14216965 Thu, 25 Aug 2005 11:14:31 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14216824 Daniel : They did it so that 1) the login fields could be on the front page, and 2) so that that page didn't have to be encrypted -- since it's harder on the webserver to encrypt the front page for every single visit.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14216824 Thu, 25 Aug 2005 10:53:20 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14216656 robscullion : Sounds simple to me B. I'm actually kind of surprised how much discussion this is generating. Being able to easily verify the SSL cert of a site before entering vital details would always seem to be better than not.

I'm not sure why banks went to the "https on submit" method at all actually. Maybe having a link to a secure login page just isn't sexy enough for them?]]> http://www.dslreports.com/forum/remark,14216656 Thu, 25 Aug 2005 10:25:20 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14216348 RobertLudlum : Hmm on the none-american front, I checked 4 major banks here.

1 - had SSL encryption for the whole site
3 - Had it only for the logon page.

Encrypting the whole website makes little sense it seems, but doing so for just the logon page seems to be worthwhile. ]]> http://www.dslreports.com/forum/remark,14216348 Thu, 25 Aug 2005 09:30:15 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14216218 dslhater : And that last commment has to do with banks??? ]]> http://www.dslreports.com/forum/remark,14216218 Thu, 25 Aug 2005 09:03:03 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14216156 Martinus :
said by Cudni See Profile :

What if more specific (as amazon does)?
Of course, that's the way to do it.

I see no point at all in serving your bank's info pages, press releases, news, etc - add here annoying Flash movies and animated gifs - thru' https.

For one, you can't serve graphics which don't live in your domain as this will do two things - at least in IE:

1.- You'll get an alert box stating: "This page contains both secure items and nonsecure items..." and

2.- The padlock in your status bar will dissapear even if the page is using https protocol.

You can see it live at B See Profile's site for $3 pants
--
From the GSV "Ethics Gradient"]]> http://www.dslreports.com/forum/remark,14216156 Thu, 25 Aug 2005 08:47:13 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14216119 Martinus :
said by Rexter See Profile :

Can't they just create a small encrypted frame, on the home page?
Having an encrypted frame inside a frameset where other frames are not encrypted won't display the HTTPS padlock.
--
From the GSV "Ethics Gradient"]]> http://www.dslreports.com/forum/remark,14216119 Thu, 25 Aug 2005 08:37:55 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215925 Cudni : What if more specific (as amazon does)?
]]> http://www.dslreports.com/forum/remark,14215925 Thu, 25 Aug 2005 07:47:35 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215905 Rexter : I prefer to know that it's being encrypted before I submit sensitive information. I think that it's bad form to train people to input sensitive information into a non encrypted page.
Why is this such an issue anyway? The entire home page doesn't have to be encrypted. Can't they just create a small encrypted frame, on the home page?
--
When all is said, and done, there will be more said than done.]]> http://www.dslreports.com/forum/remark,14215905 Thu, 25 Aug 2005 07:38:28 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215838 cork1958 : My bank is still encrypting their entire site at least.

Whichever way the site works, whether the sign in page is noticeably encrypted up front or not, it doesn't look good NOT having it encrypted.
--
Spread Opera. Fastest browser on Earth or in Cyberspace!!]]> http://www.dslreports.com/forum/remark,14215838 Thu, 25 Aug 2005 07:11:02 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215648 B :
Well, there's always CAPTCHAs, or maybe not...

»it.slashdot.org/it/05/08/24/1629···2&tid=95

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14215648 Thu, 25 Aug 2005 05:48:05 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215491 Link Logger : I think banks should have everything encrypted with huge highly detailed images that change often and lots of large graphics, huge pages that gobble up enormous bandwidth, which would require banks to use very expensive hardware and huge pipes. The idea being that only a bank could afford such technology and joe hacker using some zoombied twinkie web server couldn't duplicate the technical requirements/quality, so the bank's clients would be safe based on a quick survey of the page's quality (image quality ie zoom in to see hidden details, or response time quality).

This is the attitude used for securing your hard money, as only a government could afford such paper and printing and technology, so counterfeits can be spotted as not being the same quality as real money. Of course the issue here is of scale, its not comparing one bill to another, its servicing 10,000s of clients compared to ripping off a couple 100s for example so you could serve up such pages if you limited your targets to keep acceptable response times for example from your Twinkie evil server.

Of course this wouldn't work, but sometimes I find it interesting to look at problems from different angles and see if there is a different solution to old problems as the typical solutions don't seem to be solving this one. Maybe having something exclusive (ie a certificate is an example of an exclusive artifact) or requiring something really expensive (to the point it becomes exclusive) is the answer here. Something to think about. Given most large banks generate profits in the billions (or at least they do here in Canada), perhaps costs shouldn't be a concern here.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel]]> http://www.dslreports.com/forum/remark,14215491 Thu, 25 Aug 2005 04:07:44 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215416 Mele20 : :o LOL]]> http://www.dslreports.com/forum/remark,14215416 Thu, 25 Aug 2005 03:32:42 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215381 B : But you don't understand, Daniel. My jeans. My $8 jeans.

Sigh.

:(

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14215381 Thu, 25 Aug 2005 03:12:26 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215370 Daniel :
said by B See Profile :

Based on the attitudes expressed in this thread, I guess we should just start tearing out sheets from the Security FAQ, including
»Security »How do I avoid online credit / debit card fraud? and »Security »Scam Email: What is Phishing? What do I do about it?

The padlock? It means nothing. https? For noobs. Real computer users either trust their bank, and its IT staff, and its IT outsourcers, and its web hosts, and its content delivery networks, to always do the right thing; and/or they personally orchestrate each https POST from a command line rather than click on web forms.
Easy killer. They didn't think it was a big deal but have since acknowledged that it is. No need to get go all hardcore on them. :)
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14215370 Thu, 25 Aug 2005 03:07:58 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215294 Mele20 : I just sent a secured message to Chase customer service linking to this thread and telling them that while I love the ease of making credit card payments now, (and the fact they post the same day now instead a week later as had been the case), that I am really disappointed in them hiding the secure login page. I suggested they consider doing like CapitalOne does. It will be interesting to see what response I get. Maybe someone from there will show up in this thread. (I doubt it...but you never know). These are the only banking sites I use on line except for local banks and I don't use their online services on any regular basis. I guess I need to go see if they have changed to a non secure login page.
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,14215294 Thu, 25 Aug 2005 02:41:15 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215227 B : Based on the attitudes expressed in this thread, I guess we should just start tearing out sheets from the Security FAQ, including
»Security »How do I avoid online credit / debit card fraud? and »Security »Scam Email: What is Phishing? What do I do about it?

The padlock? It means nothing. https? For noobs. Real computer users either trust their bank, and its IT staff, and its IT outsourcers, and its web hosts, and its content delivery networks, to always do the right thing; and/or they personally orchestrate each https POST from a command line rather than click on web forms.

Just trying to be clear here.

:(

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14215227 Thu, 25 Aug 2005 02:21:00 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215217 dirtrat : Well then you are alot more trusting of these MONEY MAKING banks and organizations to do the right thing than I am. I sure hope that works out for you!

said by Steve See Profile :

said by jefe See Profile :

Doesn't that have the effect of sending your userid and password in plain text?
No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff.

It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism).

Steve
]]> http://www.dslreports.com/forum/remark,14215217 Thu, 25 Aug 2005 02:17:57 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215188 Mele20 :
said by jefe See Profile :

Doesn't that have the effect of sending your userid and password in plain text?

I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now.

If you login in plain text, what's the sense to having all the following information encrypted?
There is a secure login page on the Chase site. You have hunt around for it though.
»https://chaseonline.chase.com/chaseonlin···ogon.jsp

CapitalOne does it the right way. They have you click on login on the unsecure main page but that click takes you to a SECURE page where you actually enter your information. Chase has just totally redone their site and method of credit card payment. It is ironic that they have secure message center and other stuff and bill paying is much easier than it was with Chase Presientment but all this secure stuff now except for login unless you look in rather obscure places for the secure login page. :(
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus]]> http://www.dslreports.com/forum/remark,14215188 Thu, 25 Aug 2005 02:12:05 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14215180 swanboy : Truthfully, I'm not worried about it.

Although it would alarm me if they were no longer using https at all, if they tell me that my login information is going to be transmitted securely... then I'll believe it.

I'm not gullible, nor stupid but I do know that
The financial institution is not going to lie about security.

If it was something untrustworthy then I would question it, but it's our bank... I'm not worried.]]> http://www.dslreports.com/forum/remark,14215180 Thu, 25 Aug 2005 02:10:12 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214969 eljay001 :
said by nil See Profile :

A bigger security issue is having users enter usernames/passwords altogether.. with keyloggers running around like bunnies in spring the concern should be why haven't banks come up with a better way of identifying a user than their full username/password?
HSBC's online banking site has a "virtual keyboard" that is used to access some parts of their online banking site (e.g. Bank to Bank transfers.) I think it's a pain in the ass because since I don't have any keyloggers installed on my machine. I guess it is a nice thought for those people out there who are infected with something nasty, though.

HSBC's Virtual Keyboard
]]> http://www.dslreports.com/forum/remark,14214969 Thu, 25 Aug 2005 01:25:06 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214747 Steve :
said by Bryan001 See Profile :

Imagine this: your computer has been compromised and you don't know about it.
If my computer has been compromised, the game is already over.

Rather than worry about secret redirections where I have it in my power to see that something is up when the bogus site doesn't let me in (and where I can call my bank immediately), I worry about a keylogger that's capturing my visit to the legitimate banking site, with me none the wiser that I've been had until long after it's too late.

People who don't really understand security are in a poor position to direct the security practices of others.

Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site]]> http://www.dslreports.com/forum/remark,14214747 Thu, 25 Aug 2005 00:45:26 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214686 Bryan001 : Imagine this: your computer has been compromised and you don't know about it. One day you go to your banks website and it looks the same but it's actually some hacker's web page. With the ssl on homepage approach, you would know something is up immediately. With this one though, you just enter your username and password as usual. You hit the submit button and send the info off to whoever and when the next page loads, it's only then you know that your screwed.
A day late and a buck short ]]> http://www.dslreports.com/forum/remark,14214686 Thu, 25 Aug 2005 00:34:17 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214468 antiserious :
... both my credit unions encrypt the login page, before any info is input, and I'd prefer it this way if given a vote ... it may not matter even a little bit in the grand scheme of security, but alas, to much of the world Perception IS Reality, like it or not ... for those less computer-literate I'm sure it's reassuring ... for me it shows they've gone just a little bit farther than they had to (or just far enough, depending on your POV) to present a credible interface, and to be thorough - since I've spoken to the webmaster at my main credit union I know he's 'up-to-speed' and 'on-the-ball', but what's easier - explaining to users that their data is still secure when they hit send (and hoping they see it and believe it) or showing them in the manner they've been taught to expect ...

... present company excluded, of course - we're all above being concerned about the appearance of an icon, or lack thereof ... :uhh: ...

--
... "Do You Know Where Your Towel Is ?" ...]]> http://www.dslreports.com/forum/remark,14214468 Wed, 24 Aug 2005 23:53:53 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214196 B :
I hope you're right, nil See Profile, but I can't help thinking that this has been considered for years in the business world and the best we seem to have come up with is smart card tokens with synchronized time-based hashes. They're annoying. Fingerprint scanners have been shown in most cases to have laughable security. I don't know that there's an answer. (Though MS seems to feel differently.) I'm not ready to give up on userids and passwords.

I talked about a too-common little cert issue at »Eddie Bauer A major retailer went almost THREE WEEKS with an expired cert. Nobody cared. They still sold out of the Classic Fit Jeans.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14214196 Wed, 24 Aug 2005 23:15:11 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214110 nil : That's a fair point :)

I still say the real issue is the kind of information that is sent.. not how it's sent. All the security & keylogger issue could be made a lot less relevant with some brainstorming..
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,14214110 Wed, 24 Aug 2005 23:06:30 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214095 Daniel : Actually folks, there is another major issue here. How exactly are they supposed to verify the authenticity of a certificate? Are they supposed to do it after entering their credentials and sending them somewhere?

At that point it's more an informational thing. "Oh goody, let me just check and see real quick where I actually just sent my password." :) Russia? Oh, that's not good.

The browser should balk at bad certs, but the point is that this is not the sort of thing you want to verify after clicking submit.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14214095 Wed, 24 Aug 2005 23:04:18 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214053 B : I implied this in my first post above, but I'll put it a different way.

There's no reason for SSL on a bank's home page.

There's every reason for SSL on every page where that bank displays or solicits personal information, including and especially the login page.

Best practice -- big "LOG IN TO YOUR ACCOUNT" button on top of the screen / menu (on the ordinary http home page) takes you to an https login page. What the heck is so hard about that? No wasted SSL CPU cycles on home page views or CD rate lookups, ONLY a straightforward encryption of a separate secure login page. Jeez.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14214053 Wed, 24 Aug 2005 23:00:05 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14214015 bbrlogue :
said by nil See Profile :

Good idea.. but.. how long before bad guys create an image button that looks just like it..

Don't most browsers alert a user when they're submitting information in the clear? What's wrong with that?
Yes, but as I noted above, users can turn that off. Let's say dad turned it off, and mom or kids don't 't pay attention, that's what's wrong.

Another possibility is a pop-up or righ-click, so the submit button has a context sensitive menu such as "Show submit location" or something similar, or even as simple as "Show security"... this is several steps easier than users viewing the source (luckily with Firefox/Mozilla, you can highlight a section and right-click to get "View Selection Source" to jump right to the part)]]> http://www.dslreports.com/forum/remark,14214015 Wed, 24 Aug 2005 22:55:55 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213987 Daniel :
said by nil See Profile :

Good idea.. but.. how long before bad guys create an image button that looks just like it...
I guess the idea would be to reformat your submit buttons on the fly, ala Greasemonkey. So it wouldn't matter what the original button looked like.

But in order to be effective that would have to be part of the browser by default. You can't rely on a plugin for that because the people who are going to get hurt are the ones without the plugin anyway.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14213987 Wed, 24 Aug 2005 22:53:06 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213980 EGeezer : BTW on the Bank One page, I simply enter a bad ID and password in the login. The page then goes SSL and I can check the Cert.

But, average non-technical users won't think of that.
--
Every Good Electrical Engineer Zeroes Each Register]]> http://www.dslreports.com/forum/remark,14213980 Wed, 24 Aug 2005 22:52:10 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213936 astirusty :
said by Daniel See Profile :

We can only ask so much of a regular user, guys. They've been told a single thing for years now -- don't ever enter your password into an unencrypted page.
Exactly, you can not expect the common user to understand the underlying happenings and in fact there is no valid reason for them to be able to do so. They are simply users.

It would be like expecting a computer security expert to understand the underlying happenings of power supplies and if they couldn't declaring them unfit to use a computer. ]]> http://www.dslreports.com/forum/remark,14213936 Wed, 24 Aug 2005 22:48:05 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213926 nil : Good idea.. but.. how long before bad guys create an image button that looks just like it..

Don't most browsers alert a user when they're submitting information in the clear? What's wrong with that?
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,14213926 Wed, 24 Aug 2005 22:47:31 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213916 Daniel :
said by bbrlogue See Profile :

What would be nice is for browsers to 'style' the submit button differently, whenever it it detects the form action is to an HTTPS url (regardless of the current page URL) -- similar to the way they display some kind of padlock in the status bar or the address bar.
Wow, that's a badass idea.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14213916 Wed, 24 Aug 2005 22:46:18 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213898 bbrlogue : This is an acceptable technique. The page content is transmitted to the user-agent/browser in plain text, but the form data is posted to the server over HTTPS. I've done it on several sites to get better performance, especially on those that get thousands of logins a day.

What would be nice is for browsers to 'style' the submit button differently, whenever it it detects the form action is to an HTTPS url (regardless of the current page URL) -- similar to the way they display some kind of padlock in the status bar or the address bar. This is actually a more foolproof way to warn users that the data will be posted securely.

Think about the reverse situation... the page content is from an HTTPS URL, but the form explicitly specifies an HTTP action URL. Some if not most browsers will display a warning dialog, but they also allow users to turn the warning off after the first one. In that case, users will be tricked into thinking that they are securely submitting data because the page is HTTPS.

So, instead of users relying on the padlock at the status bar (which could be hidden on a popup page), or the HTTPS on the address bar (which could also be hidden on a popup), it would helpful if the submit button gets styled differently, and make it work such that it would cooperate with the style or can be defined as part of CSS to make it aesthetic-friendly...

Firefox-plugin, anyone?]]> http://www.dslreports.com/forum/remark,14213898 Wed, 24 Aug 2005 22:43:50 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213892 mers2 :
said by nil See Profile :

After seeing megabytes full of keylogger output of bank logins on a hacker's machine once.. I'm convinced the whole username/pass thing is passe at best.
Instead they focus on cosmetic changes. Remember the picture of your pet BofA wants you to provide?
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. ]]> http://www.dslreports.com/forum/remark,14213892 Wed, 24 Aug 2005 22:43:30 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213874 nil : A bigger security issue is having users enter usernames/passwords altogether.. with keyloggers running around like bunnies in spring the concern should be why haven't banks come up with a better way of identifying a user than their full username/password? So if something does get keylogged, transmitted in a clear or seen over the shoulder in a public library it is *not* useful without knowing the full story.

A good example would be requiring every x letter of a long password where x is a random number that changes from login to login..

I'm sure there are other ways. Now that would be an interesting technical news article.. not panic over what is nothing more than a UI issue. (.. and by article I meant the original Information Week article not this thread).

After seeing megabytes full of keylogger output of bank logins on a hacker's machine once.. I'm convinced the whole username/pass thing is passe at best.
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,14213874 Wed, 24 Aug 2005 22:41:19 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213871 mers2 :
said by B See Profile :

It's your private information you're about to transmit. Just because you trust the bank/institution with your money doesn't mean you trust their webmasters to be infallible!

-- B
Considering some of the boneheaded blunders by bank ITs lately I wouldn't trust their webmasters either. We try in this forum to teach security and making the average user aware of the security on their trusted sites, especially with phishing issues and data leaks, this is a valid discussion.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. ]]> http://www.dslreports.com/forum/remark,14213871 Wed, 24 Aug 2005 22:40:58 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213863 Daniel : Again, I'm not saying that the current way people are conditioned is good -- I'm just pointing out that they are conditioned that way.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14213863 Wed, 24 Aug 2005 22:40:13 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213825 B :
said by nil See Profile :

Right.. it's completely a 'perception' issue not a 'technical' one.. hence my amazement that it's made into technical news.
Wrong. It's a technical issue too, even for people who know what's going on. Are you really prepared to verify the HTML code of a particular site EVERY time you log in? Are you even sure you're looking at the right section of code? Not a duplicate or legacy section? Don't you feel a bit put out that you even HAVE that worry on your plate?

The padlock's a darned useful shortcut for "regular users" and geeks alike. I don't see any shame in expecting it to be there for the duration of a "secure" session.

The reason Daniel's Yahoo secured / unsecured login paradigm exists is because it makes perfect sense. Quick -- do you know whether the credentials are passed via SSL on the unsecured Yahoo login page? I sure don't.

It's your private information you're about to transmit. Just because you trust the bank/institution with your money doesn't mean you trust their webmasters to be infallible!

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14213825 Wed, 24 Aug 2005 22:35:19 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213797 EGeezer : I agree with Daniel See Profile - It's a security issue.

Thinking like a user, I ask;

OK I'm on a page that says When I type in my sensitive information it will be encrypted after I press enter. But, fake sites promise that too according to what I read and hear. Any phisher can put a GIF image of a lock on a fake page...

So, how do I know that my stuff will actually be encrypted if I do enter it? All I have is some text that promises...

Looks like a valid question to me.
--
Every
Good
Electrical
Engineer
Zeroes
Each
Register]]> http://www.dslreports.com/forum/remark,14213797 Wed, 24 Aug 2005 22:31:14 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213773 Daniel :
said by nil See Profile :

Right.. it's completely a 'perception' issue not a 'technical' one.. hence my amazement that it's made into technical news.
Well, not to argue or anything, but what's a better forum for the topic if not this one? It hardly fits in something like Psychology Weekly. I think this is precisely the right place for this discussion.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14213773 Wed, 24 Aug 2005 22:27:51 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213724 Daniel : By the way, a good example of this conditioning can be found at Yahoo.com. They have a login page, and they have a secured login page. What does that tell a user?

We can only ask so much of a regular user, guys. They've been told a single thing for years now -- don't ever enter your password into an unencrypted page. But lo and behold, that's exactly what this site is asking them to do. I'm not one bit suprised that there's confusion. Again, look at the Yahoo paradigm; it's the one they're used to.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14213724 Wed, 24 Aug 2005 22:22:29 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213715 nil : Right.. it's completely a 'perception' issue not a 'technical' one.. hence my amazement that it's made into technical news.
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,14213715 Wed, 24 Aug 2005 22:21:31 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213673 Daniel : As much as Kasia and Steve are correct here, I'm going to have to agree somewhat with the fact that this can be net-bad. The reason is simple -- very few people (even out of the few that know to look for the padlock -- understand that you can be on an unencrypted page, enter your credentials, and have them be encrypted when you click submit.

This is a human problem, not a technical one. People associate the current page with their level of security, not a future page. It's the way they've been conditioned.

Is it wrong? Sure. But can we blame them for thinking this way when they have regular jobs and very little time to devote to learning about website encryption? I don't think so.
--
dmiessler.com - grep understanding knowledge]]> http://www.dslreports.com/forum/remark,14213673 Wed, 24 Aug 2005 22:17:50 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213540 Feets : Bad guys can use SSL, but bad guys won't have a certificate signed by Verisign or RSA that has my bank's server address on it.

Click for full size
]]> http://www.dslreports.com/forum/remark,14213540 Wed, 24 Aug 2005 22:03:18 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213508 mers2 :
said by nil See Profile :

How is that.. bad guys can't use SSL?
Which is why, especially with my financial institution, I want to know before I log on that SSL logon is working.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. ]]> http://www.dslreports.com/forum/remark,14213508 Wed, 24 Aug 2005 21:59:22 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213482 nil : How is that.. bad guys can't use SSL? ]]> http://www.dslreports.com/forum/remark,14213482 Wed, 24 Aug 2005 21:55:53 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213217 Feets :
said by B See Profile :

This confuses everybody who's waiting to see a padlock icon.
Despite offering some peace of mind, the padlock icon is also the quickest way to verify the you are logging into actually came from the bank's server. ]]> http://www.dslreports.com/forum/remark,14213217 Wed, 24 Aug 2005 21:25:38 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14213158 no__1__here : I see both sides to this "argument". That said, if it bothers you that the initial page is not encrypted you can always alter the URL to be https instead (e.g. force it yourself).

But really, the biggest concern is not really man-in-the-middle attacks but rather how the bank manages your data on their side. You seldom hear about someone sniffing your password on the 'Net. That's not to say it is impossible, it is just a whole lotta work for one account. I'd rather steal backup tapes from UPS, pay someone to give me a database backup, whatever.

I'm about as paranoid as they come, but you have to choose your battles. I don't expect everyone to read the HTML (I did in fact do that the first time my bank's login page changed from SSL to non-SSL to see if the submit was still SSL'd), but again, just add the 's' yourself if it bothers you. ;)]]> http://www.dslreports.com/forum/remark,14213158 Wed, 24 Aug 2005 21:17:16 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14212748 Greg_Z : This is from US Banks website:

Internet Banking Security
Trust has always been the foundation of our relationship with customers, and we're committed to protecting your personal information. That's why whenever you login or log out of Internet Banking, you can be assured of total security. The moment you click Login, we encrypt your ID and password using the highest level of security, industry standard SSL (Secure Socket Layer) technology. That means only U.S. Bank has access to all data transmitted between your computer and our data centers.

As an additional safeguard, we will terminate your secured banking session for you after fifteen minutes of inactivity.

Internet Banking Risk Free Guarantee
U.S. Bank Internet Banking is so secure we guarantee we'll cover any losses if there's ever any unauthorized use of your account.

Ensuring Browser Security
To determine if you're on a secure usbank.com Web page, look for the lock icon and "Connection Secured" message.

Whenever you login to Internet Banking from our home page, be confident that your information will be protected by the highest security measures.
--
One man's customer loyalty is another man's misguided arrogance.]]> http://www.dslreports.com/forum/remark,14212748 Wed, 24 Aug 2005 20:22:16 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14212741 B :
Bull puckey, Steve See Profile-o. We're talking about login pages, not home pages. There's NO reason why the login, which quite frequently loads a different page anyway, can't be entirely SSL.

Citing the home page issue is a straw man.

Ignorant people? Are you serious? Average users should accept that the lock icon means something sometimes, and not other times, and learn to read raw HTML?

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14212741 Wed, 24 Aug 2005 20:21:35 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14212717 nil : Wow.. what a non-story.. slow news day?

It makes absolutely no difference if the login page is secured or not! Why waste CPU cycles?
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,14212717 Wed, 24 Aug 2005 20:18:15 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14212546 mers2 :
said by Steve See Profile :

said by mers2 See Profile :

Security conscious customers should make it clear that security trumps speed.
When customers don't know the difference between something that protects them from a danger, and something that has no effect on this whatsoever, I don't think they should get a vote.

Steve
It might not make a difference on the main page - but how is a customer to tell the actual login is SSL without having to log in first?
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. ]]> http://www.dslreports.com/forum/remark,14212546 Wed, 24 Aug 2005 19:52:00 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14212517 Steve :
said by mers2 See Profile :

Security conscious customers should make it clear that security trumps speed.
When customers don't know the difference between something that protects them from a danger, and something that has no effect on this whatsoever, I don't think they should get a vote.

Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site]]> http://www.dslreports.com/forum/remark,14212517 Wed, 24 Aug 2005 19:48:41 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14212405 mers2 : Considering the fact that the IT responsible for my local library is so paranoid that the entire website is SSL protected, I find this amusing. I'm paranoid that if I can't tell the info is secured before logging on to a financial institution I won't. Security conscious customers should make it clear that security trumps speed.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. ]]> http://www.dslreports.com/forum/remark,14212405 Wed, 24 Aug 2005 19:35:00 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14212082 Doctor Four : This is what Washington Mutual does. The main page is not
secure, but any personal info entered there for login is
transmitted over a secure connection. But they have an
explanation link on why this method is secure below the
login box.]]> http://www.dslreports.com/forum/remark,14212082 Wed, 24 Aug 2005 18:49:55 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211951 anon : Like Yahoo mail, though with SSL login, all the emails are transmitted in plain HTTP when you are searching and reading in your account... Anyone with authority can read at ease...]]> http://www.dslreports.com/forum/remark,14211951 Wed, 24 Aug 2005 18:32:05 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211907 dantz : Hey, my bank did that! You can login on their home page without protection. Luckily I found an alternate SSL-protected login page elsewhere on their site. ]]> http://www.dslreports.com/forum/remark,14211907 Wed, 24 Aug 2005 18:27:00 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211878 Steve :
said by jefe See Profile :

Doesn't that have the effect of sending your userid and password in plain text?
No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff.

It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism).

Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site]]> http://www.dslreports.com/forum/remark,14211878 Wed, 24 Aug 2005 18:23:03 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211853 B : And there we have it -- jefe See Profile's logical question is exactly the problem.

No, your user id and password get encrypted -- the HTML source for the page will show that the form data (which you've typed locally) gets TRANSMITTED via an https connection (post) back to Chase. But you have no way of KNOWING this other than to (a) trust them and/or (b) examine the HTML source of the page carefully.

It's just a stupid idea (of the cheapskate banks et al.).

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14211853 Wed, 24 Aug 2005 18:19:30 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211761 jefe : Doesn't that have the effect of sending your userid and password in plain text?

I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now.

If you login in plain text, what's the sense to having all the following information encrypted?]]> http://www.dslreports.com/forum/remark,14211761 Wed, 24 Aug 2005 18:04:51 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211503 B : And now they're openly admitting it. I give up. What's the point of ranting about security if the biggest real-world encryption implementations throw away years of consumer training to save a few dollars of CPU time. But those Flash Animations and control panels? Plenty of room.

Ugh.

For clarity, if you haven't read the article yet, no one's omitting encryption per se; they're just being cheap and not encrypting the page BEFORE your info is sent. This confuses everybody who's waiting to see a padlock icon.

-- B
--
In a realm outside causality and function]]> http://www.dslreports.com/forum/remark,14211503 Wed, 24 Aug 2005 17:31:35 EDT Re: Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211465 skyroket : booooooooooooooooooo
Luckily my small-town bank still uses and plans to use SSL for the main page on web based activities.]]> http://www.dslreports.com/forum/remark,14211465 Wed, 24 Aug 2005 17:28:12 EDT Banks Abandoning SSL On Home Page Log-Ins http://www.dslreports.com/forum/remark,14211442 antdude : »www.informationweek.com/story/sh···69600305

"Some of the biggest banks have abandoned the practice of posting their online account log-in screens on SSL-protected pages in an effort to boost page response time."]]> http://www.dslreports.com/forum/remark,14211442 Wed, 24 Aug 2005 17:24:34 EDT