Re: Banks Abandoning SSL On Home Page Log-Ins

Author	All Replies
Steve I'm a PC, so shut up Consultant join:2001-03-10 Yorba Linda, CA	reply to jefe Re: Banks Abandoning SSL On Home Page Log-Ins said by jefe : Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff. It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism). Steve -- Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site
	to forum · permalink · · 2005-08-24 18:23:03 ·
B Premium,MVM join:2000-10-28	Bull puckey, Steve -o. We're talking about login pages, not home pages. There's NO reason why the login, which quite frequently loads a different page anyway, can't be entirely SSL. Citing the home page issue is a straw man. Ignorant people? Are you serious? Average users should accept that the lock icon means something sometimes, and not other times, and learn to read raw HTML? -- B -- In a realm outside causality and function
	to forum · permalink · · 2005-08-24 20:21:35 ·
dirtrat4 join:2001-10-08 Woodland, CA	reply to Steve Well then you are alot more trusting of these MONEY MAKING banks and organizations to do the right thing than I am. I sure hope that works out for you! said by Steve : said by jefe : Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff. It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism). Steve
	to forum · permalink · · 2005-08-25 02:17:57 ·
Rexter YeeHaw join:2002-11-17 cloud 9	reply to Steve I prefer to know that it's being encrypted before I submit sensitive information. I think that it's bad form to train people to input sensitive information into a non encrypted page. Why is this such an issue anyway? The entire home page doesn't have to be encrypted. Can't they just create a small encrypted frame, on the home page? -- When all is said, and done, there will be more said than done.
	to forum · permalink · · 2005-08-25 07:38:28 ·
Martinus Premium join:2001-08-06 EU	said by Rexter : Can't they just create a small encrypted frame, on the home page? Having an encrypted frame inside a frameset where other frames are not encrypted won't display the HTTPS padlock. -- From the GSV "Ethics Gradient"
	to forum · permalink · · 2005-08-25 08:37:55 ·
dslhater Premium join:2001-09-24 Chicopee, MA clubs: 1 edit	reply to Steve And that last commment has to do with banks???
	to forum · permalink · · 2005-08-25 09:03:03 ·
Rexter YeeHaw join:2002-11-17 cloud 9	reply to Martinus You're referring to a non encrypted page that loads an encrypted frame. I'm talking about an encrypted frame that loads the rest of the non encrypted page. Yea, I really said it backwards. Lets say the URL is https, but that address only contains 1 small frame, on the page, that loads the rest of the non encrypted page. I must admit that I still wouldn't like it. I wouldn't be able to tell, at a glance, if the frame, where my username and password is going, is encrypted or not. But this would appease Steves' so called "ignorant people." -- When all is said, and done, there will be more said than done.
	to forum · permalink · · 2005-08-25 13:52:07 ·


Tuesday, 10-Nov 10:44:03	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF