Banks like Bank of America have taken some flak in the past for their awful online banking security practices. I was poking around their home page today because I wanted some screenshots to use as examples of how not to do it and I noticed the following incredible message, which appears when you click on the tiny padlock icon next to the login dialog:
Browser security indicators You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small "lock" icon in the bottom right corner of the browser frame and the "s" in the Web address bar (for example, "https"). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has access to them. Yep, no need to worry about those silly browser security indicators, just hand over your banking logon details to anything capable of displaying a Bank of America logo on a web page. (Another thing I noticed is that if you indicate that your logon state is WA or ID, you get sent to an HTTPS page which asks for your SSN alongside your name and password. Anyone know what legal requirement is behind that?) Amex is another example of this type of user training: Security is important to everyone! Please be assured that, although the home page itself does not have an "https" URL, the login component of this page is secure. When you enter your User ID and password, your information is transmitted via a secure environment, and once the login is complete, you will be redirected to our secure area. Wachovia has: Browser security indicators You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure. Those indicators include the small "lock" icon in the bottom right corner of the browser frame and the "s" in the Web address bar (for example, "https"). To provide the fastest access to our home page, we have made signing in to Online Services secure without making the entire page secure. Again, please be assured that your ID and password are secure. (hmm, their admins must have gone to the same security night school as the BoA ones :-). Can anyone who knows Javascript better than I do figure out what the mess of script on those pages is doing? It looks like it's taking the username and password and posting it to an HTTPS URL, but it's rather spaghetti-ish code so it's a bit hard to follow what's going where. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]