Cyber Security Institute
§ Current Worries
Top 3 Worries
- Regulations
- Old Firewall Configurations
- Security Awareness
§ Listening
For the best information
- The underground
- Audible
- Executive Excellence
- Music (to keep me sane)
§ Watching
For early warnings
- 150 Security Websites
- AP Newsfeeds
- Vendors
Tuesday, August 23, 2005
Banks abandoning SSL on home page log-ins
Some of the biggest banks have abandoned the practice of posting their online account log-in screens on SSL-protected pages in an effort to boost page response time. Some of the biggest banks have abandoned the practice of posting their online account log-in screens on SSL-protected pages in an effort to boost page response time and guide users to more memorable URLs, a U.K. Web performance firm said.
Netcraft noted that three of the largest banks in the U.S.—Bank of America, Wachovia, and Chase—as well as credit card giant American Express, now display their log-in forms on home pages not locked down with Secure Socket Layer (SSL). The username and password are still encrypted when sent to the bank’s server, however; the form’s Submit or Login button points to an SSL-enabled “https” URL.
But as Netcraft noted, Microsoft took the practice to task as long ago as April, when in an entry on the Redmond, Wash.-based developer’s official Internet Explorer blog, program manager Eric Lawrence wrote that the idea was flawed and could be exploited by “man-in-the-middle” attacks.