[Dshield] Banks Shifting Logins to Non-SSL Pages

stu secmail at patchsupplier.dyndns.org
Wed Aug 24 12:46:33 GMT 2005


But they could have 3 ssl servers, 

I goto ibanking.mybank.com

That looks at the load on the servers and redirects me to the server
with least load

https://ibanking3.mybank.com

I don't think any of it is a real issue to be honest. I think for them
to go back on what they've tried to teach users is wrong, but I didn't
agree with the SSL icon in the first place as most of the details are
leaked through social engineering or key loggers on the system in use.
Which SSL doesn't over protection over (remembering of course that
account details exist in the physical world as well)

Just my thoughts,

Stu

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Stephane Grobety
Sent: 24 August 2005 13:00
To: General DShield Discussion List
Subject: Re: [Dshield] Banks Shifting Logins to Non-SSL Pages

ET> Well as far as Https being intensive on processing power, there are
ET> hardware based, asic based devices specifically meant to offload SSL
ET> encryption schemes from overwhelmed servers.

It still makes it more expensive to serve a web page over SSL. There
are other issues: with HTTP, you can easy share the load over several
servers. With HTTPS, however, you're creating a very strong affinity
between the client and the server that answered.


Good luck,
Stephane


_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list