Re: AmEx unprotected login site

Perry E. Metzger [EMAIL PROTECTED] writes: Steven M. Bellovin [EMAIL PROTECTED] writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your username and password are going to them and not to someone who cleverly sent you an

Re: AmEx unprotected login site (was encrypted tapes, was Re: PapersaboutAlgorithm hiding ?)

Ken, you are correct (see below). And in fact, if the page came from the right source (as validated by SSL and a secure browser extension such as TrustBar), I don't think there is any need to validate the source (which is impractical even for the geekest geek). After all, if a site is so

Re: AmEx unprotected login site

Few comments on what Ivars Suba wrote: How to fight against phishing in organization enviroment? Quite easy- put SSL termination Proxy between client browser and SSL server: Sure, but: 1. This doesn't have any effect on non-SSL-protected sites (e.g. AmEx,... see `Hall of Shame`). And of course

Re: AmEx unprotected login site

Perry E. Metzger wrote: Steven M. Bellovin [EMAIL PROTECTED] writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your username and password are going to them and not to someone who cleverly sent you an altered version of

Re: AmEx unprotected login site

Ivars Suba responded to me: 1. This doesn't have any effect on non-SSL-protected sites (e.g. AmEx,... see `Hall of Shame`). And of course assumes users will notice the use of non-SSL-site... Vowww.. I didn't know that AmEx is not ssl protected ;)) Before user credentials are passed to

Re: AmEx unprotected login site

R. Hirschfeld [EMAIL PROTECTED] writes: From: Perry E. Metzger [EMAIL PROTECTED] Date: Wed, 08 Jun 2005 19:01:37 -0400 The other major offender are organizations (such as portions of Verizon) that subcontract payment systems to third parties. They are training their users to expect to be

Re: AmEx unprotected login site

Ben Laurie [EMAIL PROTECTED] writes: Perry E. Metzger wrote: Steven M. Bellovin [EMAIL PROTECTED] writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your username and password are going to them and not to someone who

Re: AmEx unprotected login site

Perry E. Metzger wrote: Ben Laurie [EMAIL PROTECTED] writes: Perry E. Metzger wrote: Steven M. Bellovin [EMAIL PROTECTED] writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your username and password are going to

Re: AmEx unprotected login site

Perry E. Metzger wrote: When I go to the SSL protected page, I can look at the URL and the lock icon in the corner before typing in my password. Bless you for being so careful. I, instead, look at the logo of the site and of the CA as displayed in TrustBar. This is much easier, and

Re: AmEx unprotected login site

Amir Herzberg [EMAIL PROTECTED] writes: Perry makes a lot of good points, but then gives a wrong example re Amex site (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of the few companies

Re: AmEx unprotected login site (was encrypted tapes, was Re: Papersabout Algorithm hiding ?)

Amir Herzberg wrote: 3. They did not actually spell out the problem in using SSL in the homepage (like eTrade, for instance). But I think I know the reason (they didn't confirm or deny). I think the reason is that they host their site; in particlar, when I tried accessing it via https, I got

Re: AmEx unprotected login site (was encrypted tapes, was Re: Papersabout Algorithm hiding ?)

| Perry makes a lot of good points, but then gives a wrong example re Amex site | (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL | Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of | the few companies that actually responded seriously to my

Re: AmEx unprotected login site

Jerrold Leichter [EMAIL PROTECTED] writes: If you look at their site now, they *claim* to have fixed it: The login box has a little lock symbol on it. Click on that, and you get a pop-up window discussing the security of the page. It says that although the page itself isn't protected,

RE: AmEx unprotected login site

Cc: Amir Herzberg; cryptography@metzdowd.com Subject: Re: AmEx unprotected login site Jerrold Leichter [EMAIL PROTECTED] writes: If you look at their site now, they *claim* to have fixed it: The login box has a little lock symbol on it. Click on that, and you get a pop-up window discussing

Re: AmEx unprotected login site

In message [EMAIL PROTECTED], Perry E. Metzger writes: Jerrold Leichter [EMAIL PROTECTED] writes: If you look at their site now, they *claim* to have fixed it: The login box has a little lock symbol on it. Click on that, and you get a pop-up window discussing the security of the page. It

Re: AmEx unprotected login site

Steven M. Bellovin [EMAIL PROTECTED] writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your username and password are going to them and not to someone who cleverly sent you an altered version of the page. They're doing

Re: AmEx unprotected login site

In message [EMAIL PROTECTED], Perry E. Metzger writes: Steven M. Bellovin [EMAIL PROTECTED] writes: They're still doing the wrong thing. Unless the page was transmitted to you securely, you have no way to trust that your username and password are going to them and not to someone who cleverly sent