Perry E. Metzger wrote:
I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):

"What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?"


(I won't be forwarding followups to this unless they are unusually

Hopefully this is interesting enough to get forwarded on...

Sadly this practice is all too common, and often goes hand in hand with the other "cardinal sin" of https that of mixed http/https pages.

I believe the only way both of these highly dubious deployment practices will be stamped out is when the browsers stop allowing users to see such web pages. So that there becomes a directly attributable financial impact to the sites that deploy in that way.

As much as I like Firefox & Safari [ the only two browsers I use now ] this has to be led by Microsoft with Internet Explorer since that will have the biggest impact, given IE 8 is in beta this seems like a perfect opportunity to get this in as a change for the next version.

Warnings aren't enough in this context [ whey already exists ] the only thing that will work is stopping the page being seen - replacing it with a clearly worded explanation with *no* way to pass through and render the page (okay maybe with a debug build of the browser but not in the shipped product).

Darren J Moffat

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to