|
Posted by Hans Osterbrinck on March 18, 2007, 3:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options >
>
>
>
>
>
>
> >> I just started using a new bank, which has an online access page to
> >> perform transactions etc. It is
> >>http://www.orchardbank.com/ecare/loginform
>
> >> I noticed it is not an https (secured) site but has a logo saying it
> >> is SSL secured with verisign... whatever that means. Can anyone tell
> >> me if I should be wary of using this login URL since it is not an
> >> https site. After I signed up I immediately changed my login details/
> >> security questions since these were all performed over an http
> >> connection.
>
> >> I am basically a novice about these things but "know" (ie. have been
> >> told a lot!) that https is important.
>
> > Although the login page isn't downloaded with SSL, it DOES use SSL to
> > submit the form. It's kind of difficult to tell this from the source,
> > because it uses some contorted Javascript to perform the submission.
> > But just do a login and look at the location line in your browser and
> > you'll see that it changed to HTTPS.
>
> > --
> > Barry Margolin, bar...@alum.mit.edu
> > Arlington, MA
> > *** PLEASE post questions in newsgroups, not directly to me ***
> > *** PLEASE don't copy me on replies, I'll read them in the group ***
>
> Yes, I also tested that with a Wireshark capture. It immediately sends a
> TCP SYN using HTTPS when you submit the form.
>
> BernieM- Zitierten Text ausblenden -
>
> - Zitierten Text anzeigen -
Nevertheless, it's bad practise to send the form itself over plain
HTTP use SSL only to protect the data itself:
First, unexperiences users get used to the fact that even "secure"
websites don't need to be SSL-protected.
Secondly, the website containing the form is not guaranteed to be
authentic. This simplifies phishing and spoofing attacks.
Just a remark ...
Regards!
| 
XML site map