antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  Banks Abandoning SSL On Home Page Log-Ins
»www.informationweek.com/story/sh···69600305
"Some of the biggest banks have abandoned the practice of posting their online account log-in screens on SSL-protected pages in an effort to boost page response time." |
|
skyroket
join:2001-06-11
Colorado, US
edit:
August 24th, @05:40PM
| booooooooooooooooooo
Luckily my small-town bank still uses and plans to use SSL for the main page on web based activities. |
|
B
Premium,MVM
join:2000-10-28
| reply to antdude
And now they're openly admitting it. I give up. What's the point of ranting about security if the biggest real-world encryption implementations throw away years of consumer training to save a few dollars of CPU time. But those Flash Animations and control panels? Plenty of room.
Ugh.
For clarity, if you haven't read the article yet, no one's omitting encryption per se; they're just being cheap and not encrypting the page BEFORE your info is sent. This confuses everybody who's waiting to see a padlock icon.
-- B
--
In a realm outside causality and function |
|
jefe
Premium
join:2001-05-19
Northport, NY
| Doesn't that have the effect of sending your userid and password in plain text?
I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now.
If you login in plain text, what's the sense to having all the following information encrypted? |
|
B
Premium,MVM
join:2000-10-28
| And there we have it -- jefe  's logical question is exactly the problem.
No, your user id and password get encrypted -- the HTML source for the page will show that the form data (which you've typed locally) gets TRANSMITTED via an https connection (post) back to Chase. But you have no way of KNOWING this other than to (a) trust them and/or (b) examine the HTML source of the page carefully.
It's just a stupid idea (of the cheapskate banks et al.).
-- B
--
In a realm outside causality and function |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| reply to jefe
said by jefe :Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff.
It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism).
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
dantz
join:2005-05-09
Honolulu, HI | reply to antdude
Hey, my bank did that! You can login on their home page without protection. Luckily I found an alternate SSL-protected login page elsewhere on their site. |
|
Anon users
@anonymouse.org | Like Yahoo mail, though with SSL login, all the emails are transmitted in plain HTTP when you are searching and reading in your account... Anyone with authority can read at ease... |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX | reply to antdude
This is what Washington Mutual does. The main page is not
secure, but any personal info entered there for login is
transmitted over a secure connection. But they have an
explanation link on why this method is secure below the
login box. |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
 ·AT&T DSL Service
 ·Charter Pipeline
| reply to antdude
Considering the fact that the IT responsible for my local library is so paranoid that the entire website is SSL protected, I find this amusing. I'm paranoid that if I can't tell the info is secured before logging on to a financial institution I won't. Security conscious customers should make it clear that security trumps speed.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| said by mers2 :Security conscious customers should make it clear that security trumps speed. When customers don't know the difference between something that protects them from a danger, and something that has no effect on this whatsoever, I don't think they should get a vote.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T DSL Service
·Charter Pipeline
| said by Steve :said by mers2 :Security conscious customers should make it clear that security trumps speed. When customers don't know the difference between something that protects them from a danger, and something that has no effect on this whatsoever, I don't think they should get a vote. Steve It might not make a difference on the main page - but how is a customer to tell the actual login is SSL without having to log in first?
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. |
|
nil
Java Geek
join:2000-11-27 | reply to antdude
Wow.. what a non-story.. slow news day?
It makes absolutely no difference if the login page is secured or not! Why waste CPU cycles?
--
Life is too short to be boring |
|
B
Premium,MVM
join:2000-10-28
| reply to Steve
Bull puckey, Steve -o. We're talking about login pages, not home pages. There's NO reason why the login, which quite frequently loads a different page anyway, can't be entirely SSL.
Citing the home page issue is a straw man.
Ignorant people? Are you serious? Average users should accept that the lock icon means something sometimes, and not other times, and learn to read raw HTML?
-- B
--
In a realm outside causality and function |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
 ·Vonage
·Insight Communicat..
| reply to antdude
This is from US Banks website:
Internet Banking Security
Trust has always been the foundation of our relationship with customers, and we're committed to protecting your personal information. That's why whenever you login or log out of Internet Banking, you can be assured of total security. The moment you click Login, we encrypt your ID and password using the highest level of security, industry standard SSL (Secure Socket Layer) technology. That means only U.S. Bank has access to all data transmitted between your computer and our data centers.
As an additional safeguard, we will terminate your secured banking session for you after fifteen minutes of inactivity.
Internet Banking Risk Free Guarantee
U.S. Bank Internet Banking is so secure we guarantee we'll cover any losses if there's ever any unauthorized use of your account.
Ensuring Browser Security
To determine if you're on a secure usbank.com Web page, look for the lock icon and "Connection Secured" message.
Whenever you login to Internet Banking from our home page, be confident that your information will be protected by the highest security measures.
--
One man's customer loyalty is another man's misguided arrogance. |
|
no__1__here
Premium
join:2003-10-13
Tomball, TX
·AT&T Southwest
edit:
August 24th, @09:17PM
| reply to antdude
I see both sides to this "argument". That said, if it bothers you that the initial page is not encrypted you can always alter the URL to be https instead (e.g. force it yourself).
But really, the biggest concern is not really man-in-the-middle attacks but rather how the bank manages your data on their side. You seldom hear about someone sniffing your password on the 'Net. That's not to say it is impossible, it is just a whole lotta work for one account. I'd rather steal backup tapes from UPS, pay someone to give me a database backup, whatever.
I'm about as paranoid as they come, but you have to choose your battles. I don't expect everyone to read the HTML (I did in fact do that the first time my bank's login page changed from SSL to non-SSL to see if the submit was still SSL'd), but again, just add the 's' yourself if it bothers you.  |
|
Feets
More faults than the state of California
Premium
join:2002-12-11
Hamilton, ON
| reply to B
said by B : This confuses everybody who's waiting to see a padlock icon. Despite offering some peace of mind, the padlock icon is also the quickest way to verify the you are logging into actually came from the bank's server. |
|
nil
Java Geek
join:2000-11-27
edit:
August 24th, @09:56PM
| How is that.. bad guys can't use SSL? |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
·AT&T DSL Service
·Charter Pipeline
| said by nil :How is that.. bad guys can't use SSL? Which is why, especially with my financial institution, I want to know before I log on that SSL logon is working.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. |
|
Feets
More faults than the state of California
Premium
join:2002-12-11
Hamilton, ON
edit:
August 24th, @10:04PM
| reply to antdude
Bad guys can use SSL, but bad guys won't have a certificate signed by Verisign or RSA that has my bank's server address on it.
|
|
