Re: On the topic of "Asking the drunk"...

2009-01-10 Thread Peter Gutmann 
Jerry Leichter  writes:
>On Jan 9, 2009, at 6:49 AM, Peter Gutmann wrote:
>> https://visa.com/
>I get no response.  None at https://www.visa.com either.

Sigh, you wait awhile to make sure it's not an intermittent thing and then as
soon as you post it it stops working (or maybe someone from Visa is reading
this list and took it down quickly :-).  What it was doing until now was a
really convincing simulation of a phishing attack, the Firefox error message
was:

  visa.com uses an invalid security certificate.

  The certificate is not trusted because it is self-signed.
  The certificate is only valid for MIA21793WWW002.managed.cln.

  (Error code: sec_error_ca_cert_invalid)

Unfortunately posting that bit to the list kinda lessens the effect of seeing
it live.  Good thing I saved a screenshot while it was still active :-).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: On the topic of "Asking the drunk"...

2009-01-10 Thread Jerry Leichter 

On Jan 9, 2009, at 6:49 AM, Peter Gutmann wrote:


https://visa.com/

I get no response.  None at https://www.visa.com either.

On the other hand, the US-specific site, https://usa.visa.com,  
responds just fine - but it redirects you to http://usa.visa.com/index.html 
.  Try that same address with https, and it's accepted - but again  
redirected to the http version.


That one is at least in the Visa domain.  It gets a bit more complex  
for other regions - e.g., the Asian sites are accessible via https://www.visa-asia.com/ 
 - but that redirects to

http://www.visa-asia.com/ap/index.shtml - even though
https://www.visa-asia.com/ap/index.shtml actual works!

I'm guessing that Visa has country- (or perhaps region-)specific  
certs, which would make some sense - but the random mix of http and  
https addresses is pretty broken.


It's not clear there's anything at visa.com that's really in need of  
protecting, of course.  It's not a card issuer, its member banks are.   
Then again ... if you start from https://usa.visa.com and go to  
"Access Account Information", you are sent to a (non-SSL) page that  
claims to have links to the largest issuing banks - except that none  
of the "links" actually works - which I guess is appropriate, since  
you shouldn't be trusting them anyway!


A very strange set of sites
-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

On the topic of "Asking the drunk"...

2009-01-09 Thread Peter Gutmann 
https://visa.com/

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com