Full Disclosure mailing list archives
Re: http://www.chase.com/ vulnerability
From: "Perry E. Metzger" <perry () piermont com>
Date: Fri, 28 May 2004 15:30:17 -0400
<gauntlet () nym hush com> writes:
Many financial institutions do the same thing. www.americanexpress.com: Security is important to everyone! Please be assured that, although the home page itself does not have an "https" URL, the login component of this page is secure. When you enter your User ID and password, your information is transmitted via a secure environment,
Except you have no way to know that without reading the html, since someone could have intercepted and altered the form. Given how many people can or will read the html, the assurances are completely false and essentially constitute a way of training their customers to have their accounts taken over in the future. -- Perry E. Metzger perry () piermont com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability gauntlet (May 28)
- <Possible follow-ups>
- RE: http://www.chase.com/ vulnerability Schmidt, Michael R. (May 28)
- Re: http://www.chase.com/ vulnerability Dark-Avenger (May 28)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 28)
- RE: http://www.chase.com/ vulnerability James Patterson Wicks (May 29)
- Re: http://www.chase.com/ vulnerability Perry E. Metzger (May 29)
- Re: http://www.chase.com/ vulnerability http-equiv () excite com (May 29)
- RE: http://www.chase.com/ vulnerability Brandon (May 28)