On Jan 9, 2009, at 6:49 AM, Peter Gutmann wrote:
https://visa.com/
I get no response. None at https://www.visa.com either.
On the other hand, the US-specific site, https://usa.visa.com,
responds just fine - but it redirects you to http://usa.visa.com/index.html
. Try that same address with https, and it's accepted - but again
redirected to the http version.
That one is at least in the Visa domain. It gets a bit more complex
for other regions - e.g., the Asian sites are accessible via https://www.visa-asia.com/
- but that redirects to
http://www.visa-asia.com/ap/index.shtml - even though
https://www.visa-asia.com/ap/index.shtml actual works!
I'm guessing that Visa has country- (or perhaps region-)specific
certs, which would make some sense - but the random mix of http and
https addresses is pretty broken.
It's not clear there's anything at visa.com that's really in need of
protecting, of course. It's not a card issuer, its member banks are.
Then again ... if you start from https://usa.visa.com and go to
"Access Account Information", you are sent to a (non-SSL) page that
claims to have links to the largest issuing banks - except that none
of the "links" actually works - which I guess is appropriate, since
you shouldn't be trusting them anyway!
A very strange set of sites
-- Jerry
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com