PaulDotCom mailing list archives
SSL Encryption and HTML
From: nbaronian at gmail.com (Nick Baronian)
Date: Tue, 28 Oct 2008 20:40:05 -0400
Hey Cody, given that this is a bank and I am guessing you bank with them, I would be a little wary. I don't know who you bank with but my uber google skillz led me to a bank that calls another site for login authentication. And from my 90 seconds of analysis, I don't think that the other site is using a well known cerificate authority, atleast wget barked it wasn't or perhaps it was just self-signed. Either way, my guess is they are allowing another site to do this authentication behind the scenes to either avoid buying their own cert so they don't get a ton of users squawking to them about broken locks caused from different domains or no cert auth signing or perhaps the company who does their online banking didn't pay for one. Maybe my quick peak at it was wrong but it seems to me that for a website with a function such as banking, they are either avoiding/hiding something or their site is oddly/poorly designed causing me to be cautious and I would poke around the code and sniff my traffic. -Nick 2008/10/28 matt donovan <kitchetech at gmail.com>
On Tue, Oct 28, 2008 at 5:46 PM, Blake Hartstein <urule99 at gmail.com>wrote:Cody Ray wrote:Although the login does not occur on a secure HTML page, the login is, in fact, secure.SSL Encryption solves multiple problems. However, when used incorrectly it may not solve all of the intended problems. Privacy - Encryption of data, this is good in this case Authentication - the user is unable to determine if the server is legitimate - bad in this caseIf you want to assure yourself that the information you are sending is secure and you don't see a security icon, you can view the HTML source code.I don't like this advice, but it might make a good firefox plugin someday. There are plugins that allow you to force HTTPS, but it does have the possibility of breaking the server. Blake _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.comlast time I knew if the page is not ssl encrypted by default the log in information can still be seen before it even reaches the https. _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081028/572e3791/attachment.htm
Current thread:
- SSL Encryption and HTML Cody Ray (Oct 28)
- SSL Encryption and HTML Blake Hartstein (Oct 28)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Nick Baronian (Oct 28)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Paul Asadoorian (Oct 28)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Raffi Jamgotchian (Oct 28)
- SSL Encryption and HTML Oscar Koeroo (Oct 29)
- SSL Encryption and HTML Paul Asadoorian (Oct 29)
- SSL Encryption and HTML Jim Kelly (Oct 29)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Chris Frederick (Oct 29)
- <Possible follow-ups>
- SSL Encryption and HTML David A. Gershman (Oct 28)
- SSL Encryption and HTML Ken Asher (Oct 28)
- SSL Encryption and HTML Blake Hartstein (Oct 28)