jefe
Premium
join:2001-05-19
Northport, NY
| reply to B
Re: Banks Abandoning SSL On Home Page Log-Ins
Doesn't that have the effect of sending your userid and password in plain text?
I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now.
If you login in plain text, what's the sense to having all the following information encrypted? |
|
B
Premium,MVM
join:2000-10-28
| And there we have it -- jefe  's logical question is exactly the problem.
No, your user id and password get encrypted -- the HTML source for the page will show that the form data (which you've typed locally) gets TRANSMITTED via an https connection (post) back to Chase. But you have no way of KNOWING this other than to (a) trust them and/or (b) examine the HTML source of the page carefully.
It's just a stupid idea (of the cheapskate banks et al.).
-- B
--
In a realm outside causality and function |
|
Steve
Security is inefficient
Consultant
join:2001-03-10
Tustin, CA
| reply to jefe
said by jefe :Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff.
It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism).
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
B
Premium,MVM
join:2000-10-28
|
Bull puckey, Steve -o. We're talking about login pages, not home pages. There's NO reason why the login, which quite frequently loads a different page anyway, can't be entirely SSL.
Citing the home page issue is a straw man.
Ignorant people? Are you serious? Average users should accept that the lock icon means something sometimes, and not other times, and learn to read raw HTML?
-- B
--
In a realm outside causality and function |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to jefe
said by jefe :Doesn't that have the effect of sending your userid and password in plain text? I noticed my little bank, JP Morgan-Chase, is using an unsecure page for login now. If you login in plain text, what's the sense to having all the following information encrypted? There is a secure login page on the Chase site. You have hunt around for it though.
»https://chaseonline.chase.com/chaseonlin···ogon.jsp
CapitalOne does it the right way. They have you click on login on the unsecure main page but that click takes you to a SECURE page where you actually enter your information. Chase has just totally redone their site and method of credit card payment. It is ironic that they have secure message center and other stuff and bill paying is much easier than it was with Chase Presientment but all this secure stuff now except for login unless you look in rather obscure places for the secure login page. 
--
Around 2005 a sudden spark will catalyze a Crisis mood. The very survival of the nation will seem to be at stake.Sometime before 2025, America will pass through a great gate in history. The risk and promise will be very high. The Fourth Turning Wm. Straus |
|
dirtrat
join:2001-10-08
Woodland, CA
| reply to Steve
Well then you are alot more trusting of these MONEY MAKING banks and organizations to do the right thing than I am. I sure hope that works out for you!
said by Steve :said by jefe :Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff. It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism). Steve |
|
Rexter
YeeHaw
join:2002-11-17
cloud 9
| reply to Steve
I prefer to know that it's being encrypted before I submit sensitive information. I think that it's bad form to train people to input sensitive information into a non encrypted page.
Why is this such an issue anyway? The entire home page doesn't have to be encrypted. Can't they just create a small encrypted frame, on the home page?
--
When all is said, and done, there will be more said than done. |
|
Martinus
Premium
join:2001-08-06
EU
| said by Rexter :Can't they just create a small encrypted frame, on the home page? Having an encrypted frame inside a frameset where other frames are not encrypted won't display the HTTPS padlock.
--
From the GSV "Ethics Gradient" |
|
dslhater
Premium
join:2001-09-24
Chicopee, MA
clubs:
edit:
August 25th, @12:12PM
| reply to Steve
And that last commment has to do with banks??? |
|
Rexter
YeeHaw
join:2002-11-17
cloud 9
| reply to Martinus
You're referring to a non encrypted page that loads an encrypted frame. I'm talking about an encrypted frame that loads the rest of the non encrypted page. Yea, I really said it backwards. Lets say the URL is https, but that address only contains 1 small frame, on the page, that loads the rest of the non encrypted page.
I must admit that I still wouldn't like it. I wouldn't be able to tell, at a glance, if the frame, where my username and password is going, is encrypted or not. But this would appease Steves' so called "ignorant people."
--
When all is said, and done, there will be more said than done. |
|
