[Dshield] Banks Shifting Logins to Non-SSL Pages

Ed Truitt ed.truitt at etee2k.net
Wed Aug 24 09:18:28 GMT 2005

Why would SOX come into play at all?  This is about online banking, not financial reporting systems at a publicly-traded corporation.  I think you might have been thinking of some other law (Gramm-somebody?)

-----Original Message-----
From: "Hernandez, Moses" <MHernandez3 at mercymiami.org>
Date: Tue, 23 Aug 2005 12:14:37 
To:"General DShield Discussion List" <list at lists.dshield.org>
Subject: Re: [Dshield] Banks Shifting Logins to Non-SSL Pages

>well as the goals of the browser makers. Three of the five largest U.S.
>banks now display login forms on non-SSL home pages, including Bank of
>America, Wachovia and Chase, as well as financial services giant
American >Express.

Damn I use some of these financial institutions. I digress however. Just
let me get to some of the meet and potatoes of the discussion.

>Web sites are generally reluctant to use "https" on busy home pages,
since >SSL involves a tradeoff: improved security, but slower response
time. >Consumers, meanwhile, prefer easy to-remember URLs for their
online >banking. In placing login screens on non-SSL home pages, banks
are trying >to have it both ways: fast page loading without the
SSL-related performance >hit. The login form's "action" URL points to an
SSL-enabled https URL.

Well as far as Https being intensive on processing power, there are
hardware based, asic based devices specifically meant to offload SSL
encryption schemes from overwhelmed servers. I think it may be a cop-out
for not wanting to spend the extra money on security. With SOX in play I
am not exactly sure how they are circumventing it but I would imagine
that since the "SUBMIT" is encrypted and so is the data after they have
figured a "LOOPHOLE" in SOX. Additionally consumers are not necessary
unable to redirect from HTTP to HTTPS so I am wondering what the actual
reasoning is, although I am sure there is a financial cost involved.
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-E D Truitt

Sent via my BlackBerry from Cingular Wireless

More information about the list mailing list