[Dshield] Banks Shifting Logins to Non-SSL Pages

John B. Holmblad jholmblad at aol.com
Thu Aug 25 01:30:18 GMT 2005


Justin,

what SSL protection of the home page provides first and foremost is a 
measure of assurance that the client is communicating with the authentic 
host and not some rogue/spoofed site.  In practical terms that is more 
important than the data privacy implemented by means of the encrypted 
tunnel created by SSL, except in the case of 802.11 wireless access with 
weak/no encryption where SSL encryption becomes much more critical.  
Under the security "regime" imposed by service providers like AMEX and 
Chase, the user now has to trust that even though the home page to which 
they broswed has non-SSL protected elements, the part of the page 
pertaining to the logon sequence still originates from the authentic 
host and not some spoofed site. How can the user be assured that the 
Gold Lock shown in the supposedly secure Logon area of the www page has 
not been faked?

-- 
Best Regards,

John Holmblad

Televerage International
GSEC Gold,GCWN Gold,GGSC-0100,NSA-IAM

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net



More information about the list mailing list