Re: Banks Abandoning SSL On Home Page Log-Ins

Forums » Up and Running » Security » Security » Banks Abandoning SSL On Home Page Log-Ins


Share Topic:	RSS topic:	toggle: flat / full normal / watch	Posting:	Post a:	Post a:

Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal

AIM can't direct connect if NIS '05 enabled »
« Any good Still?

B
Premium,MVM
join:2000-10-28

Re: Banks Abandoning SSL On Home Page Log-Ins

And now they're openly admitting it. I give up. What's the point of ranting about security if the biggest real-world encryption implementations throw away years of consumer training to save a few dollars of CPU time. But those Flash Animations and control panels? Plenty of room.

Ugh.

For clarity, if you haven't read the article yet, no one's omitting encryption per se; they're just being cheap and not encrypting the page BEFORE your info is sent. This confuses everybody who's waiting to see a padlock icon.

-- B
--
In a realm outside causality and function

permalink · 2005-08-24 17:31:35 · Print ·

jefe Premium join:2001-05-19 Northport, NY ·Verizon FIOS	Re: Banks Abandoning SSL On Home Page Log-Ins Doesn't that have the effect of sending your userid and password in plain text? I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now. If you login in plain text, what's the sense to having all the following information encrypted?
	permalink · 2005-08-24 18:04:51 ·

B
Premium,MVM
join:2000-10-28

Re: Banks Abandoning SSL On Home Page Log-Ins

And there we have it -- jefe

's logical question is exactly the problem.

No, your user id and password get encrypted -- the HTML source for the page will show that the form data (which you've typed locally) gets TRANSMITTED via an https connection (post) back to Chase. But you have no way of KNOWING this other than to (a) trust them and/or (b) examine the HTML source of the page carefully.

It's just a stupid idea (of the cheapskate banks et al.).

-- B
--
In a realm outside causality and function

permalink · 2005-08-24 18:19:30 · Print ·

Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA

said by jefe

:

Doesn't that have the effect of sending your userid and password in plain text?

No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff.

It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism).

Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site

permalink · 2005-08-24 18:23:03 · Print ·

B
Premium,MVM
join:2000-10-28

Re: Banks Abandoning SSL On Home Page Log-Ins

Bull puckey, Steve

-o. We're talking about login pages, not home pages. There's NO reason why the login, which quite frequently loads a different page anyway, can't be entirely SSL.

Citing the home page issue is a straw man.

Ignorant people? Are you serious? Average users should accept that the lock icon means something sometimes, and not other times, and learn to read raw HTML?

-- B
--
In a realm outside causality and function

permalink · 2005-08-24 20:21:35 · Print ·

dirtrat4

join:2001-10-08
Woodland, CA

Well then you are alot more trusting of these MONEY MAKING banks and organizations to do the right thing than I am. I sure hope that works out for you!

said by Steve

said by jefe

:

Doesn't that have the effect of sending your userid and password in plain text?

permalink · 2005-08-25 02:17:57 · Print ·

Rexter YeeHaw join:2002-11-17 cloud 9	I prefer to know that it's being encrypted before I submit sensitive information. I think that it's bad form to train people to input sensitive information into a non encrypted page. Why is this such an issue anyway? The entire home page doesn't have to be encrypted. Can't they just create a small encrypted frame, on the home page? -- When all is said, and done, there will be more said than done.
	permalink · 2005-08-25 07:38:28 ·

Martinus Premium join:2001-08-06 EU	Re: Banks Abandoning SSL On Home Page Log-Ins said by Rexter : Can't they just create a small encrypted frame, on the home page? Having an encrypted frame inside a frameset where other frames are not encrypted won't display the HTTPS padlock. -- From the GSV "Ethics Gradient"
	permalink · 2005-08-25 08:37:55 ·

Rexter
YeeHaw

join:2002-11-17
cloud 9

Re: Banks Abandoning SSL On Home Page Log-Ins

You're referring to a non encrypted page that loads an encrypted frame. I'm talking about an encrypted frame that loads the rest of the non encrypted page. Yea, I really said it backwards. Lets say the URL is https, but that address only contains 1 small frame, on the page, that loads the rest of the non encrypted page.

I must admit that I still wouldn't like it. I wouldn't be able to tell, at a glance, if the frame, where my username and password is going, is encrypted or not. But this would appease Steves' so called "ignorant people."
--
When all is said, and done, there will be more said than done.

permalink · 2005-08-25 13:52:07 · Print ·

dslhater Premium join:2001-09-24 Chicopee, MA clubs: 1 edit	And that last commment has to do with banks???
	permalink · 2005-08-25 09:03:03 ·

Mele20
Premium
join:2001-06-05
Hilo, HI

said by jefe

:

Doesn't that have the effect of sending your userid and password in plain text?

I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now.

If you login in plain text, what's the sense to having all the following information encrypted?

There is a secure login page on the Chase site. You have hunt around for it though.
»https://chaseonline.chase.com/chaseonlin···ogon.jsp

CapitalOne does it the right way. They have you click on login on the unsecure main page but that click takes you to a SECURE page where you actually enter your information. Chase has just totally redone their site and method of credit card payment. It is ironic that they have secure message center and other stuff and bill paying is much easier than it was with Chase Presientment but all this secure stuff now except for login unless you look in rather obscure places for the secure login page.

--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus

permalink · 2005-08-25 02:12:05 · Print ·

Feets Premium join:2002-12-11 Hamilton, ON ·Cogeco Cable	said by B : This confuses everybody who's waiting to see a padlock icon. Despite offering some peace of mind, the padlock icon is also the quickest way to verify the you are logging into actually came from the bank's server.
	permalink · 2005-08-24 21:25:38 ·

nil Java Geek join:2000-11-27 1 edit	Re: Banks Abandoning SSL On Home Page Log-Ins How is that.. bad guys can't use SSL?
	permalink · 2005-08-24 21:55:53 ·

mers2 Premium,MVM join:2004-03-20 USA clubs: ·AT&T U-Verse	Re: Banks Abandoning SSL On Home Page Log-Ins said by nil : How is that.. bad guys can't use SSL? Which is why, especially with my financial institution, I want to know before I log on that SSL logon is working. -- God put me on this Earth to accomplish a certain number of things. Right now, I am so far behind I will never die.
	permalink · 2005-08-24 21:59:22 ·

Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:

1 edit

Actually folks, there is another major issue here. How exactly are they supposed to verify the authenticity of a certificate? Are they supposed to do it after entering their credentials and sending them somewhere?

At that point it's more an informational thing. "Oh goody, let me just check and see real quick where I actually just sent my password."

Russia? Oh, that's not good.

The browser should balk at bad certs, but the point is that this is not the sort of thing you want to verify after clicking submit.
--
dmiessler.com - grep understanding knowledge

permalink · 2005-08-24 23:04:18 · Print ·

nil Java Geek join:2000-11-27 Host: Webmasters and Dev.. Forum Feature Requ..	Re: Banks Abandoning SSL On Home Page Log-Ins That's a fair point I still say the real issue is the kind of information that is sent.. not how it's sent. All the security & keylogger issue could be made a lot less relevant with some brainstorming.. -- Life is too short to be boring
	permalink · 2005-08-24 23:06:30 ·

B
Premium,MVM
join:2000-10-28

Re: Banks Abandoning SSL On Home Page Log-Ins

I hope you're right, nil

, but I can't help thinking that this has been considered for years in the business world and the best we seem to have come up with is smart card tokens with synchronized time-based hashes. They're annoying. Fingerprint scanners have been shown in most cases to have laughable security. I don't know that there's an answer. (Though MS seems to feel differently.) I'm not ready to give up on userids and passwords.

I talked about a too-common little cert issue at »Eddie Bauer A major retailer went almost THREE WEEKS with an expired cert. Nobody cared. They still sold out of the Classic Fit Jeans.

-- B
--
In a realm outside causality and function

permalink · 2005-08-24 23:15:11 · Print ·

your comment..

Forums » Up and Running » Security » Security	AIM can't direct connect if NIS '05 enabled » « Any good Still?


Thursday, 10-Dec 11:18:19	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF