Levi Pearson wrote: > Topher Fischer <[EMAIL PROTECTED]> writes: > >> Since I've started working on this, I haven't used a login form that >> wasn't given to me over SSL. Luckily, everything I use has some sort of >> secure login form somewhere on their site. I've tried to find one for >> Zion's bank, and haven't been able to. Fortunately, I don't bank with them. >> > > Zion's Bank uses one of those new-fangled multi-step logins. You > enter your user id on the front page, and then you are shown a picture > and asked a question (over a ssl connection) or, if you've previously > done this step and got a cookie, you're shown a picture and asked to > enter your password. Since only the user id is entered into the form > in the non-ssl page, it should be safe from your particular attack. > > --Levi > Thanks for pointing that out. I was going to use them as an example in a presentation. It does seem like some websites are figuring out that serving username/password forms over an insecure connection is a bad idea. Sometime over that past month, SmithBarney changed their home page, so that now it immediately switches over to an SSL connection.
-- Topher Fischer GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19 EFF5 2FC3 BE99 D123 6674 [EMAIL PROTECTED]
signature.asc
Description: OpenPGP digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
