Another problem is I believe it's MS that is sponsoring a 'green bar' at the top of IE if the page is deemed secure. But what it really means is that MS has been paid well to put a green bar there. Many very secure websites, small business owners etc and those who don't want to be extorted by MS won't go with the green bar. So over time, some people will think only these sites are safe.
Mike On 7/19/07, db <[EMAIL PROTECTED]> wrote:
But I think the point that someone else made is really important. Starting from a page that a layman can't visibly tell will be secure doesn't help the general public know what is safe and what's not. The end result of that ignorance ... which is promoted by this emerging login technique ... is it will make website spoofing and thus account credential theft easier in general. db Mason Miller wrote: > The initial pages protocol(http vs. https) does not matter. It is the > method with which the data is sent to the server when the user hits > submit. As long as the form specifies an action that points to an > address that begins with https, your data is secure. Nothing is passed > in the clear when sending a request(or submitting a form) to a server > via SSL(https). > > Mason > > John DeCarlo wrote: >> On 7/19/07, Michael S. Altus <[EMAIL PROTECTED]> wrote: >>> >>> Should login pages be secured (https)? A bank has a login page that has >>> account holders log in with their user ID and password on an unsecured >>> (http) page. >>> This goes to a secure site (https). A bank staff person told me that >>> the >>> log >>> in page need not be secure. Is that correct? >>> >> >> It depends on what you are protecting against. >> >> Interestingly, in practice most sites have the login page as HTTPS. The >> reason is that with an HTTP login page, the user ID and password is >> being >> passed in the clear from your PC to the web site. So anyone looking at >> network traffic can get your username and password easily. >> >> Even GMail has an HTTPS login page and then sends you to regular HTTP >> for >> doing your email. The same is true for Yahoo mail and probably many >> other >> otherwise non-protected sites. >> >> I would think a financial institution would be more careful. All the >> financial institutions I use have the HTTPS login page as well as every >> other page. >> > > > ************************************************************************ > * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== > * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== > * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name > * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST > * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L > * New address? From OLD address send: CHANGE COMPUTERGUYS-L > YourNewAddress > * Need more help? Send mail to: [EMAIL PROTECTED] > ************************************************************************ > * List archive at www.mail-archive.com/[email protected]/ > * RSS at > www.mail-archive.com/[email protected]/maillist.xml > * Messages bearing the header "X-No-Archive: yes" will not be archived > ************************************************************************ > ************************************************************************ * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] ************************************************************************ * List archive at www.mail-archive.com/[email protected]/ * RSS at www.mail-archive.com/[email protected]/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived ************************************************************************
************************************************************************ * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] ************************************************************************ * List archive at www.mail-archive.com/[email protected]/ * RSS at www.mail-archive.com/[email protected]/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived ************************************************************************
