Protected or not, AmericanExpress.com has multiple web vulnerabilities -
I wouldn't log into it with a ten-foot pole :)

-Lance

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Perry E. Metzger
Sent: Wednesday, June 08, 2005 12:16 PM
To: Jerrold Leichter
Cc: Amir Herzberg; cryptography@metzdowd.com
Subject: Re: AmEx unprotected login site


Jerrold Leichter <[EMAIL PROTECTED]> writes:
> If you look at their site now, they *claim* to have fixed it:  The
login box 
> has a little lock symbol on it.  Click on that, and you get a pop-up
window 
> discussing the security of the page.  It says that although the page
itself 
> isn't protected, "your information is transmitted via a secure
environment".
>
> No clue as to what exactly they are doing, hence if it really is
secure.

They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of the page.

Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to