I was shocked that several people posted in response to Peter Gutmann's note about Wachovia, asking (I paraphrase):
"What is the problem here? Wachovia's front page is only http protected, but the login information is posted with https! Surely this is just fine, isn't it?" I'm not going to explain why this is wrong. It should be obvious. If it isn't obvious to you, you should try thinking like an attacker for a few moments. If it still isn't obvious to you why this is very bad, read the list archives. (I won't be forwarding followups to this unless they are unusually interesting.) Perry -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
