In the ongoing comedy of errors that is US online banking "security" I've just run into another one that's good for a giggle: Go to www.wachovia.com and, without entering any credentials, click 'Login' on their unsecured logon page. You get taken to an authenticated, SSL-secured... error message page. The error message page gives you a chance to retry your logon, carefully redirecting you back to the insecure logon page. So displaying a glorified 401 requires SSL, but obtaining user credentials doesn't.
(Insert standard moan about US banks here). On a semi-related topic, it'd be interesting to get some discussion about FF3 removing the FF2 SSL indicators of the padlock and (more visibly) the background colour-change for the URL bar when SSL is active and replacing it with a spoof-friendly indicator that's part of the favicon, i.e. part of the attacker-controlled content. The URL bar colouring was by far the most visible security indicator that any web browser had, the giant leap backwards of moving to a near-invisible blue border around the favicon does nothing to indicate security and is trivially spoofed by putting a blue border around the favicon. There's a bugzilla bug filed against it, https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with inevitable dups, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=431495) but there's no indication that the FF developers are interested in fixing it. From the discussion thread on bugzilla it seems the reason is that only EV certs matter so there's no point in paying much attention to non-EV certs. (Again, roll standard music about EV certs benefitting no-one but the CAs selling them). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]