B
Premium,MVM
join:2000-10-28
| reply to antdude
Re: Banks Abandoning SSL On Home Page Log-Ins
And now they're openly admitting it. I give up. What's the point of ranting about security if the biggest real-world encryption implementations throw away years of consumer training to save a few dollars of CPU time. But those Flash Animations and control panels? Plenty of room.
Ugh.
For clarity, if you haven't read the article yet, no one's omitting encryption per se; they're just being cheap and not encrypting the page BEFORE your info is sent. This confuses everybody who's waiting to see a padlock icon.
-- B
--
In a realm outside causality and function |
|
jefe
Premium
join:2001-05-19
Northport, NY
| Doesn't that have the effect of sending your userid and password in plain text?
I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now.
If you login in plain text, what's the sense to having all the following information encrypted? |
|
B
Premium,MVM
join:2000-10-28
| And there we have it -- jefe  's logical question is exactly the problem.
No, your user id and password get encrypted -- the HTML source for the page will show that the form data (which you've typed locally) gets TRANSMITTED via an https connection (post) back to Chase. But you have no way of KNOWING this other than to (a) trust them and/or (b) examine the HTML source of the page carefully.
It's just a stupid idea (of the cheapskate banks et al.).
-- B
--
In a realm outside causality and function |
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| reply to jefe
said by jefe :Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff.
It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism).
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
B
Premium,MVM
join:2000-10-28
|
Bull puckey, Steve -o. We're talking about login pages, not home pages. There's NO reason why the login, which quite frequently loads a different page anyway, can't be entirely SSL.
Citing the home page issue is a straw man.
Ignorant people? Are you serious? Average users should accept that the lock icon means something sometimes, and not other times, and learn to read raw HTML?
-- B
--
In a realm outside causality and function |
|
Feets
Strong opinions, weakly held
Premium
join:2002-12-11
Las Vegas, NV
 ·Cogeco Cable
| reply to B
said by B : This confuses everybody who's waiting to see a padlock icon. Despite offering some peace of mind, the padlock icon is also the quickest way to verify the you are logging into actually came from the bank's server. |
|
nil
Java Geek
join:2000-11-27
edit:
August 24th, @09:56PM
| How is that.. bad guys can't use SSL? |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
 ·AT&T DSL Service
·Charter Pipeline
| said by nil :How is that.. bad guys can't use SSL? Which is why, especially with my financial institution, I want to know before I log on that SSL logon is working.
--
God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die. |
|
Daniel
Episteme
Premium,MVM
join:2000-06-26
Newark, CA
clubs: 
edit:
August 24th, @11:05PM
| reply to Feets
Actually folks, there is another major issue here. How exactly are they supposed to verify the authenticity of a certificate? Are they supposed to do it after entering their credentials and sending them somewhere?
At that point it's more an informational thing. "Oh goody, let me just check and see real quick where I actually just sent my password."  Russia? Oh, that's not good.
The browser should balk at bad certs, but the point is that this is not the sort of thing you want to verify after clicking submit.
--
dmiessler.com - grep understanding knowledge |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| That's a fair point
I still say the real issue is the kind of information that is sent.. not how it's sent. All the security & keylogger issue could be made a lot less relevant with some brainstorming..
--
Life is too short to be boring |
|
B
Premium,MVM
join:2000-10-28
| I hope you're right, nil , but I can't help thinking that this has been considered for years in the business world and the best we seem to have come up with is smart card tokens with synchronized time-based hashes. They're annoying. Fingerprint scanners have been shown in most cases to have laughable security. I don't know that there's an answer. (Though MS seems to feel differently.) I'm not ready to give up on userids and passwords.
I talked about a too-common little cert issue at »Eddie Bauer A major retailer went almost THREE WEEKS with an expired cert. Nobody cared. They still sold out of the Classic Fit Jeans.
-- B
--
In a realm outside causality and function |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to jefe
said by jefe :Doesn't that have the effect of sending your userid and password in plain text? I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now. If you login in plain text, what's the sense to having all the following information encrypted? There is a secure login page on the Chase site. You have hunt around for it though.
»https://chaseonline.chase.com/chaseonlin···ogon.jsp
CapitalOne does it the right way. They have you click on login on the unsecure main page but that click takes you to a SECURE page where you actually enter your information. Chase has just totally redone their site and method of credit card payment. It is ironic that they have secure message center and other stuff and bill paying is much easier than it was with Chase Presientment but all this secure stuff now except for login unless you look in rather obscure places for the secure login page. 
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus |
|
dirtrat
join:2001-10-08
Woodland, CA
| reply to Steve
Well then you are alot more trusting of these MONEY MAKING banks and organizations to do the right thing than I am. I sure hope that works out for you!
said by Steve :said by jefe :Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff. It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism). Steve |
|
Rexter
YeeHaw
join:2002-11-17
cloud 9
| reply to Steve
I prefer to know that it's being encrypted before I submit sensitive information. I think that it's bad form to train people to input sensitive information into a non encrypted page.
Why is this such an issue anyway? The entire home page doesn't have to be encrypted. Can't they just create a small encrypted frame, on the home page?
--
When all is said, and done, there will be more said than done. |
|
Martinus
Premium
join:2001-08-06
EU
| said by Rexter :Can't they just create a small encrypted frame, on the home page? Having an encrypted frame inside a frameset where other frames are not encrypted won't display the HTTPS padlock.
--
From the GSV "Ethics Gradient" |
|
dslhater
Premium
join:2001-09-24
Chicopee, MA
clubs:
edit:
August 25th, @12:12PM
| reply to Steve
And that last commment has to do with banks??? |
|
Rexter
YeeHaw
join:2002-11-17
cloud 9
| reply to Martinus
You're referring to a non encrypted page that loads an encrypted frame. I'm talking about an encrypted frame that loads the rest of the non encrypted page. Yea, I really said it backwards. Lets say the URL is https, but that address only contains 1 small frame, on the page, that loads the rest of the non encrypted page.
I must admit that I still wouldn't like it. I wouldn't be able to tell, at a glance, if the frame, where my username and password is going, is encrypted or not. But this would appease Steves' so called "ignorant people."
--
When all is said, and done, there will be more said than done. |
|
