Perry E. Metzger wrote:
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:

They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of the page.

They're doing the wrong thing, and probably feel they have no choice. Setting up an SSL session is expensive; most people who go to their home page do not log in, and hence do not (to Amex) require cryptographic protection.


That's why Citibank and most well run bank sites have you click on a
button on the front page to go to the login screen. There are ways to
handle this correctly.

Why is this better? The button you click can just as easily take you to a site other than the one intended.

--
>>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to