Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
| reply to jefe
Re: Banks Abandoning SSL On Home Page Log-Ins
said by jefe  :Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff.
It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism).
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site |
|
B
Premium,MVM
join:2000-10-28
|
Bull puckey, Steve -o. We're talking about login pages, not home pages. There's NO reason why the login, which quite frequently loads a different page anyway, can't be entirely SSL.
Citing the home page issue is a straw man.
Ignorant people? Are you serious? Average users should accept that the lock icon means something sometimes, and not other times, and learn to read raw HTML?
-- B
--
In a realm outside causality and function |
|
dirtrat
join:2001-10-08
Woodland, CA
| reply to Steve
Well then you are alot more trusting of these MONEY MAKING banks and organizations to do the right thing than I am. I sure hope that works out for you!
said by Steve :said by jefe :Doesn't that have the effect of sending your userid and password in plain text? No way: it's not the fetch of the main page that determines this, but the action upon submit, and everybody still encrypts the important stuff. It's very expensive to encrypt large amounts of home-page traffic that doesn't really require it, and doing this just so ignorant people feel better just ends up imposting costs on everybody for no good purpose (hmmm, that sounds just like our war on terrorism). Steve |
|
Rexter
YeeHaw
join:2002-11-17
cloud 9
| reply to Steve
I prefer to know that it's being encrypted before I submit sensitive information. I think that it's bad form to train people to input sensitive information into a non encrypted page.
Why is this such an issue anyway? The entire home page doesn't have to be encrypted. Can't they just create a small encrypted frame, on the home page?
--
When all is said, and done, there will be more said than done. |
|
Martinus
Premium
join:2001-08-06
EU
| said by Rexter :Can't they just create a small encrypted frame, on the home page? Having an encrypted frame inside a frameset where other frames are not encrypted won't display the HTTPS padlock.
--
From the GSV "Ethics Gradient" |
|
dslhater
Premium
join:2001-09-24
Chicopee, MA
clubs:
edit:
August 25th, @12:12PM
| reply to Steve
And that last commment has to do with banks??? |
|
Rexter
YeeHaw
join:2002-11-17
cloud 9
| reply to Martinus
You're referring to a non encrypted page that loads an encrypted frame. I'm talking about an encrypted frame that loads the rest of the non encrypted page. Yea, I really said it backwards. Lets say the URL is https, but that address only contains 1 small frame, on the page, that loads the rest of the non encrypted page.
I must admit that I still wouldn't like it. I wouldn't be able to tell, at a glance, if the frame, where my username and password is going, is encrypted or not. But this would appease Steves' so called "ignorant people."
--
When all is said, and done, there will be more said than done. |
|
