* Perry E. Metzger: > If you go over to, say, www.fidelity.com, you will find that you can't > even get to the http: version of the page any more -- you are always > redirected to the https: version.
Of course, this only helps if users visit the site using bookmarks that were created after the switch. If they enter "fidelity.com" (or even just "fidelity") into their browsers to access it, switch to HTTPS won't help at all. Perhaps this explains why someone might think that serving the login page over HTTPS is just security theater. In the same "we use use HTTPS and are still vulnerable to MITM attacks" department, there's the really old issue of authenticating cookies which are not restricted to HTTPS, but will be happily sent over HTTP as well. *sigh* Apart from that, the article you linked to does not even mention actual attacks with an identity theft motive. What's worse, the suggested countermeasures don't protect you at all. Ad-hoc networks are insecure, and those with an access point are secure? Yeah, right. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
