Quoting "Perry E. Metzger" <[EMAIL PROTECTED]>:

Now you might wonder, why do I keep picking on Chase?

A certain other security person and I had an extended argument with
the folks at another company I won't name other than to say that it was
American Express. At the time, they more or less said, "yah, this is a
problem, but fixing it is going to be a pain." However, I'll note that
now, as with Fidelity, you pretty much can't go onto their web site
without using https: -- kudos to Amex.

Indeed, though this was all a major problem a couple of years ago with
many banks, many have now fixed it. However, for a select few, like,
say, Chase, the message simply isn't getting through even though these
organizations have been repeatedly informed that they are leaving
their customers vulnerable. One wonders what level of trouble they're
going to have to get into before they actually do the right thing.

I'll just point out that you CAN go to:


And that works, and should be secure.   No, it's not the same as
typing "chase" into your browser and having the right thing happen,
but honestly this is what browser caches are for.  (When I type "chase"
into my browser bar it autocompletes to the above URL).


      Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
      Member, MIT Student Information Processing Board  (SIPB)
      URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
      [EMAIL PROTECTED]                        PGP key available

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to