| Perry makes a lot of good points, but then gives a wrong example re Amex site
| (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL
| Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
| the few companies that actually responded seriously to my warning on this
| matter. In fact, I think they are the _only_ company that responded seriously
| - but failed to fix their site... I had an interesting discussion with their
| security and web folks, and my conclusions are:
| 
| 1. These are serious people who understand technology and security
| reasonably well. They are aware of many attacks, including much more
| advanced spoofing attacks (that can foil even an expert user of a `regular`
| browser - by regular I mean without improved security indicators like
| provided by TrustBar).  Unfortunately, they use this awareness to justify to
| themselves the lack of protection (`why should I put a lock when some people
| know how to break it?`)....
|
| 4. Ultimately, what we have here is simply the `usability beats security`
| rule...
If you look at their site now, they *claim* to have fixed it:  The login box 
has a little lock symbol on it.  Click on that, and you get a pop-up window 
discussing the security of the page.  It says that although the page itself 
isn't protected, "your information is transmitted via a secure environment".

No clue as to what exactly they are doing, hence if it really is secure.

                                                        -- Jerry


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to