On 7/19/07, Michael S. Altus <[EMAIL PROTECTED]> wrote:
Should login pages be secured (https)? A bank has a login page that has account holders log in with their user ID and password on an unsecured (http) page. This goes to a secure site (https). A bank staff person told me that the log in page need not be secure. Is that correct?
It depends on what you are protecting against. Interestingly, in practice most sites have the login page as HTTPS. The reason is that with an HTTP login page, the user ID and password is being passed in the clear from your PC to the web site. So anyone looking at network traffic can get your username and password easily. Even GMail has an HTTPS login page and then sends you to regular HTTP for doing your email. The same is true for Yahoo mail and probably many other otherwise non-protected sites. I would think a financial institution would be more careful. All the financial institutions I use have the HTTPS login page as well as every other page. -- John DeCarlo, My Views Are My Own ************************************************************************ * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] ************************************************************************ * List archive at www.mail-archive.com/[email protected]/ * RSS at www.mail-archive.com/[email protected]/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived ************************************************************************
