[Dshield] Banks Shifting Logins to Non-SSL Pages

Hernandez, Moses MHernandez3 at mercymiami.org
Tue Aug 23 16:14:37 GMT 2005

>well as the goals of the browser makers. Three of the five largest U.S.
>banks now display login forms on non-SSL home pages, including Bank of
>America, Wachovia and Chase, as well as financial services giant
American >Express.

Damn I use some of these financial institutions. I digress however. Just
let me get to some of the meet and potatoes of the discussion.

>Web sites are generally reluctant to use "https" on busy home pages,
since >SSL involves a tradeoff: improved security, but slower response
time. >Consumers, meanwhile, prefer easy to-remember URLs for their
online >banking. In placing login screens on non-SSL home pages, banks
are trying >to have it both ways: fast page loading without the
SSL-related performance >hit. The login form's "action" URL points to an
SSL-enabled https URL.

Well as far as Https being intensive on processing power, there are
hardware based, asic based devices specifically meant to offload SSL
encryption schemes from overwhelmed servers. I think it may be a cop-out
for not wanting to spend the extra money on security. With SOX in play I
am not exactly sure how they are circumventing it but I would imagine
that since the "SUBMIT" is encrypted and so is the data after they have
figured a "LOOPHOLE" in SOX. Additionally consumers are not necessary
unable to redirect from HTTP to HTTPS so I am wondering what the actual
reasoning is, although I am sure there is a financial cost involved.
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***

More information about the list mailing list