Amir Herzberg <[EMAIL PROTECTED]> writes: > Perry makes a lot of good points, but then gives a wrong example re > Amex site (see below). Amex is indeed one of the unprotected login > sites (see my `I-NFL Hall of Shame`, > http://AmirHerzberg.com/shame.html). However, Amex is one of the few > companies that actually responded seriously to my warning on this > matter. In fact, I think they are the _only_ company that responded > seriously - but failed to fix their site... [...]
I'm surprised that they responded to you. I tried to get to respond to my inquiries about it for weeks without any success. I did get a nice letter from JP Morgan Chase telling me I was crazy and that there is no security problem on their site (which suffers from the same problem). I probably should publish it to assure the dismissal of the people responsible for sending it to me. > 2. They have a serious problem in using SSL in their homepage, and for > business reasons, they don't want to put the login on a different > page. Well, those "business reasons" are pretty obviously an incorrect balance of security and convenience, as I'm sure you would agree. The inconvenience of having to click one more button to get to your account is minimal -- almost unmeasurably small. The inconvenience of the company having to explain to tens of thousands of people that they've screwed them badly, along with all of the money lost, is substantially higher. One day they'll be paying that second inconvenience. Many other financial institutions get this right, by the way. Citigroup gets this right. If their customers can click onto another page, so can customers of American Express, Chase, etc. > below are the relevant parts of Perry's message... I think you'll > agree you picked wrong example. I don't agree. I think this is still a case of human frailty causing a security problem, rather than some sort of technological issue. If you know what the problem is and you decide not to do anything about it because you believe that "for business reasons" you shouldn't put the login on a separate page, you've got nothing to blame for your future security problems other than yourself. My point is simple. We have enough protocols, software, etc. to avoid most of the security issues we have to deal with at this point. Most of the remaining problem tends to be human beings. In this case, the human beings security people who know better but give in when management decides for what amounts to aesthetic reasons that it needs a login on the front page that isn't protected by SSL. > As I said, I agree with the above (and most of the removed stuff). > But below you jumped to the wrong conclusions. I disagree. I'll stand by most of what I said. >> Every company should be telling its users never to type in their >> credentials on a web page downloaded in the clear, but American >> Express and lots of other companies train their users to get raped, And they are indeed training their users to enter in security credentials on unsecure pages. >> and why do they do it? Not because they made some high level decision >> to screw their users. Not because they can't afford to do things >> right. It happens because some idiot web designer thought it was a And if in this one case it turns out that they did indeed make a high level decision to screw their users, so much the worse. -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
