"Perry E. Metzger" <[EMAIL PROTECTED]> writes: >"Steven M. Bellovin" <[EMAIL PROTECTED]> writes: >>>They're still doing the wrong thing. Unless the page was transmitted >>>to you securely, you have no way to trust that your username and >>>password are going to them and not to someone who cleverly sent you an >>>altered version of the page. >> >> They're doing the wrong thing, and probably feel they have no choice. >> Setting up an SSL session is expensive; most people who go to their .> home page do not log in, and hence do not (to Amex) require >> cryptographic protection. > >That's why Citibank and most well run bank sites have you click on a button >on the front page to go to the login screen. There are ways to handle this >correctly.
I was just going to mention this myself because I've noticed local banks doing it, you click on some "log in for online banking" link and get to an HTTPS login page that's distinct from the HTTP main page. For Mozilla/Firefox users, grab a copy of the TargetAlert extension and you'll see this on the originating page, TargetAlert will tag the login link with the "opens in new window" indicator and the "HTTPS" indicator (the usual yellow padlock). When you've got TargetAlert installed, go to e.g. http://www.asbbank.co.nz/ to see this. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
