In message <[EMAIL PROTECTED]>, "Perry E. Metzger" writes:
>Jerrold Leichter <[EMAIL PROTECTED]> writes:
>> If you look at their site now, they *claim* to have fixed it:  The login box
>> has a little lock symbol on it.  Click on that, and you get a pop-up window 
>> discussing the security of the page.  It says that although the page itself 
>> isn't protected, "your information is transmitted via a secure environment".
>> No clue as to what exactly they are doing, hence if it really is secure.
>They're still doing the wrong thing. Unless the page was transmitted
>to you securely, you have no way to trust that your username and
>password are going to them and not to someone who cleverly sent you an
>altered version of the page.

They're doing the wrong thing, and probably feel they have no choice.  
Setting up an SSL session is expensive; most people who go to their 
home page do not log in, and hence do not (to Amex) require 
cryptographic protection.

A few years ago, I talked with someone who was setting up a system that 
really needed security.  Given how few pages people would visit on the 
site, though, he estimated that it would increase his costs by a factor 
of about 15.  (I didn't verify the numbers; I know from experience that 
he's competent and has his hear in the right place re security).

                --Steven M. Bellovin,

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to