Paul Hoffman wrote:
A less extreme solution would be to make the warning the user sees on a mixed-content page more insulting to the bank. "This page contains both encrypted and non-encrypted content and is inherently insecure. The owner of this web site has clearly made a very poor security decision in showing this page to you. It is likely that other pages on this site also have similarly poor security. Knowing this, do you wish to continue anyway?"
A more optimal solution is to have this vulnerability accepted by the OWASP community as a "Top 10" security vulnerability; it will have the appropriate intended effect since mitigation to the OWASP defined vulnerabilities is required in PCI-DSS: "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines" https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html http://www.owasp.org/index.php/Top_10_2007 Arshad Noor StrongAuth, Inc. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
