Re: AmEx unprotected login site

Thu, 09 Jun 2005 07:40:48 -0700 

Perry E. Metzger wrote:

Ben Laurie <[EMAIL PROTECTED]> writes:


Perry E. Metzger wrote:


"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:



They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of the page.


They're doing the wrong thing, and probably feel they have no
choice.  Setting up an SSL session is expensive; most people who go
to their home page do not log in, and hence do not (to Amex)
require cryptographic protection.


That's why Citibank and most well run bank sites have you click on a
button on the front page to go to the login screen. There are ways to
handle this correctly.


Why is this better? The button you click can just as easily take you
to a site other than the one intended.



When I go to the SSL protected page, I can look at the URL and the
lock icon in the corner before typing in my password. When you type in
your password BEFORE the SSL connection, by the time you realize that
it went to the wrong place, it is way too late.

I admit that not everyone will check the URL and the lock icon, but at
least it is *possible* to train people to do the right thing on
that. There is no way, effectively, to train people to be safe given
the way that Amex is set up.
But even if you have seen the lock and the URL, you are still vulnerable to homograph attacks and simply names that look right but aren't. I notice that AmEx have registered a _lot_ of names to make this hard, but even they don't win, for example: 

$ whois americanexpresscard.co.uk

    Domain Name:
        americanexpresscard.co.uk

    Registrant:
        Lantec Corporation

    Registrant's Address:
        8 Copthall
        Roseau
        Commonwealth of Dominica
        00152
        DM

Oops.

Cheers,

Ben.

--
>>>ApacheCon Europe<<<                   http://www.apachecon.com/

http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to