On Mon, 2007-03-19 at 08:34 -0600, Brandon Stout wrote: > I avoid banks - go Credit Unions! Bank is, after all, a 4 letter > word... Most banks and credit unions use http for the front page > and > other public pages. Encryption increases bandwidth usage, so for > large banks this makes sense. When you submit your password, it > switches to https to encrypt your user name/password combo. Use a > packet sniffer to make sure, but usually, even when the login page > is > http, your password will get sent https.
You missed the point. If the main page that contains the username and password field is served using normal http, then a malicious man in the middle can alter the form and send your username and password to a third party, all without messing with ssl certificates. Topher has written code to do this on a LAN. Michael /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
