SSL Encryption and HTML

[cdf123 at cdf123.net (Chris Frederick)]

Cody Ray wrote:
> Although the login does not occur on a secure HTML page, the login is, in
> fact, secure.

No, in fact, it isn't.  It just means that I have to trust your insecure 
login page came from your site, which can't be verified.  This makes it 
much easier for a 'haxor' to post the login html on another site, and 
change the action to go somewhere else.  Once you click that submit 
button, it's too late, the data is sent.  Are you going to view-source 
every time you get the login page to make sure the form is posting to 
the correct location?

<rant>
The whole issue they are bringing up with this ssl side-stepping is 
trust.  They are asking you to trust their 'slight-of-hand' security, 
which doesn't appear to be very trustworthy.  This causes (or should 
cause) the whole trust foundation to break down.  What other areas of 
security are they skimping on?
</rant>

Does this mean that the cookie that is set up on login can be used for 
the http and https sections of the site to identify you?  In that case 
anyone sniffing traffic between you and the bank could possibly see you 
session cookie if you ever navigated to the insecure site after being 
logged in.  There were a lot of sites (banks included) that got in 
trouble recently by not securing their cookies.

This whole thing smells bad.

My $0.02...
Chris