In message <[EMAIL PROTECTED]>, "Perry E. Metzger" writes:
>
>"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly sent you an
>>>altered version of the page.
>>
>> They're doing the wrong thing, and probably feel they have no choice.  
>> Setting up an SSL session is expensive; most people who go to their 
>> home page do not log in, and hence do not (to Amex) require 
>> cryptographic protection.
>
>That's why Citibank and most well run bank sites have you click on a
>button on the front page to go to the login screen. There are ways to
>handle this correctly.

There's an attack there, too -- one can divert the link to the login 
screen.
>
>The other major offender are organizations (such as portions of
>Verizon) that subcontract payment systems to third parties. They are
>training their users to expect to be directed to a site they don't
>recognize to enter in their credit card information. "Really! This is
>your vendor's payment site! Pay no attention to the URL and
>certificate!"
>
>That one in particular takes amazing brains...
>
It's a tough problem: they want to outsource the payment processing, 
but don't have the infrastructure to do so properly.


                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to