I probably wasted more time than anybody on this crazy topic, and in
particular:
1. I keep `Hall of Shame` site of such unprotected login pages (even got
me a DigiCrime title: Inter-Net Fraud League Commissioner!)
2. With others, we develop TrustBar, an improved security indicator
toolbar for FireFox, which also tries to protect users of unprotected
login pages, e.g. by automatically redirecting to protected pages when
found.
Some results/observations:
1. Few companies that had a dialog with me said their marketing/site
design folks insist on login via the homepage, claiming this is so much
better for consumers compared to a separate login page. I see this as a
very very extreme case of `usability beats security`.
2. Same companies also claimed that using SSL on homepage is too much
overhead. Extreme case of `performance beats security`.
3. One company responded (to my warning of their unprotected login and
the fact I'm going to add them to `hall of shame`) by legal threats.
Typical case of `pay lawyers a lot, to avoid doing things right`.
4. One company sent me coupons for free trades. Rare example, I'm afraid...
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
