Perry makes a lot of good points, but then gives a wrong example re Amex
site (see below). Amex is indeed one of the unprotected login sites (see
my `I-NFL Hall of Shame`, http://AmirHerzberg.com/shame.html). However,
Amex is one of the few companies that actually responded seriously to my
warning on this matter. In fact, I think they are the _only_ company
that responded seriously - but failed to fix their site... I had an
interesting discussion with their security and web folks, and my
conclusions are:
1. These are serious people who understand technology and security
reasonably well. They are aware of many attacks, including much more
advanced spoofing attacks (that can foil even an expert user of a
`regular` browser - by regular I mean without improved security
indicators like provided by TrustBar). Unfortunately, they use this
awareness to justify to themselves the lack of protection (`why should I
put a lock when some people know how to break it?`).
2. They have a serious problem in using SSL in their homepage, and for
business reasons, they don't want to put the login on a different page.
3. They did not actually spell out the problem in using SSL in the
homepage (like eTrade, for instance). But I think I know the reason
(they didn't confirm or deny). I think the reason is that they host
their site; in particlar, when I tried accessing it via https, I got an
Akamai certificate... [I don't think they liked this observation; now
you are led to the unprotected site]
4. Ultimately, what we have here is simply the `usability beats
security` rule...
In fact, I'm bcc:ing their lead person, in case he wants to chip in and
protect their professional image better than me (how about: `we
reconsidered and will fix our login process`?)
below are the relevant parts of Perry's message... I think you'll agree
you picked wrong example.
...
The benefits, however, are very obvious and large, and the cost is as
close to nil as anything gets in business.
...
You want to understand the real problem in security? It isn't your
constant mythical attention to "cost". It is human stupidity.
Have a look, for example, at
http://www.americanexpress.com/
which encourages users to type in their credentials, in the clear,
into a form that came from lord knows where and sends the information
lord knows where. Spoof the site, and who would notice?
As I said, I agree with the above (and most of the removed stuff).
But below you jumped to the wrong conclusions.
Every company should be telling its users never to type in their
credentials on a web page downloaded in the clear, but American
Express and lots of other companies train their users to get raped,
and why do they do it? Not because they made some high level decision
to screw their users. Not because they can't afford to do things
right. It happens because some idiot web designer thought it was a
nice look, and their security people are too ignorant or too powerless
to stop it, that's why.
It has nothing to do with cost. The largest non-bank card issuer in
the world can pay for the fifteen minutes of time it would take to fix
it by putting the login on a separate SSL protected page. It has
nothing to do with "ease of use" or tools that default "safe". The
problem is that they don't know there is anything to fix at a level
of the firm that is capable of taking the decision to fix it.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
