On Fri, 13 Aug 2010 23:59:18 +1200 Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > As part of a thread on another list, I noticed that Bank of America, > who until recently didn't bother protecting the page where users are > expected to enter their credentials with anything more substantial > than a GIF of a padlock, now finally use HTTPS on their home page, and > redirect HTTP to HTTPS (this only took them, what, about ten years to > get right? Or is it fifteen? When did BofA first get a web > presence?). Wachovia now do it too. And Citibank at least redirect > you to an HTTPS page. And so does US Bank, after asking for your ID. > > What on earth happened? Was there a change in banking regulations in > the last few months?
I'm usually pretty up-to-date on these regulations and I'm not aware of any recent changes. As for Wachovia's changes, you'll notice that it now says "A Wells Fargo Company" in smaller print beneath the Wachovia logo. That's the reason for their switch; our name on their (our?) site. Unfortunately, it appears that not all is working right. If you go to http://wachovia.com it redirects to https://www.wachovia.com just fine, but if you type in https://wachovia.com it does not redirect you and your browser will throw a domain name mismatch error because the certificate is for www.wachovia.com (Confirmed on IE8, Firefox 3.5, and Chrome 5). The browser treat these as near apocalyptic errors with huge warnings. Firefox especially. I've notified the appropriate people. Eric Lengvenis Information Security Architect Enterprise Information Security Architecture (EISA) This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com