[Dshield] Banks Shifting Logins to Non-SSL Pages

Stephane Grobety security at admin.fulgan.com
Tue Aug 23 14:53:07 GMT 2005

Actually, it simply doesn't matter.

1/ Home users simply don't know about security. Training doesn't help
2/ The backbone of the HTTPS system, the CA root market, has gone
rotten beyond recognition. Poor security and poor practices at the CA
roots have made it easy to obtain a certificate for a domain that you
don't own (easy isn't "trivial", though).
3/ Even if the above wasn't true, none of the mainstream browsers on
the market has default behavior that is not leading into security
failure by default. In case of an incorrect certificate, users are
presented with a dialog that easily allow them to ignore the problem.
Worse: many web sites actually TRAIN their users to ignore this
problem by asking them to dismiss the warning.
4/ On windows, installing a new root root is a trivial task. I'm
really surprised that, so far, no malware did so in order to work
around ALL built-in protection. With the right certificate root in
place, it could easily run software transparently, spoof secure web
site, and generally speaking, lure the user into thinking the proper
security is in place. I guess that it's not even necessary given the
other problems. (I don't know about Linux, OSX or other OSs so I can't
really comment on them. If anyone feels like it, I'd be interested in
some details).

So, honestly, if some US banks decide to save some processing power
and gain some scalability by switching to non-SSL front pages, I
harldy see it as reduction of the overall security. It's not very
intelligent, but it's unlikely to do much harm.

FPF> After years of training customers to trust only SSL-enabled
FPF> sites, banks are shifting their online banking logins to the
FPF> unencrypted home pages of their websites. Although the data is
FPF> encrypted once the user hits the "Sign In" button, the practice
FPF> runs counter to years of customer conditioning, as well as the
FPF> goals of the browser makers. Three of the five largest U.S. banks
FPF> now display login forms on non-SSL home pages, including Bank of
FPF> America, Wachovia and Chase, as well as financial services giant
FPF> American Express.

More information about the list mailing list