On Fri, 13 Aug 2010 23:59:18 +1200 Peter Gutmann <pgut...@cs.auckland.ac.nz> 
> As part of a thread on another list, I noticed that Bank of America, 
> who until recently didn't bother protecting the page where users are 
> expected to enter their credentials with anything more substantial 
> than a GIF of a padlock, now finally use HTTPS on their home page, and 
> redirect HTTP to HTTPS (this only took them, what, about ten years to 
> get right?  Or is it fifteen?  When did BofA first get a web 
> presence?).  Wachovia now do it too.  And Citibank at least redirect 
> you to an HTTPS page.  And so does US Bank, after asking for your ID.
> What on earth happened?  Was there a change in banking regulations in 
> the last few months?

I'm usually pretty up-to-date on these regulations and I'm not aware of any 
recent changes. As for Wachovia's changes, you'll notice that it now says "A 
Wells Fargo Company" in smaller print beneath the Wachovia logo. That's the 
reason for their switch; our name on their (our?) site. Unfortunately, it 
appears that not all is working right. If you go to http://wachovia.com it 
redirects to https://www.wachovia.com just fine, but if you type in 
https://wachovia.com it does not redirect you and your browser will throw a 
domain name mismatch error because the certificate is for www.wachovia.com 
(Confirmed on IE8, Firefox 3.5, and Chrome 5). The browser treat these as near 
apocalyptic errors with huge warnings. Firefox especially. I've notified the 
appropriate people. 

Eric Lengvenis
Information Security Architect
Enterprise Information Security Architecture (EISA)

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to