PaulDotCom mailing list archives
SSL Encryption and HTML
From: ken.asher at docusign.com (Ken Asher)
Date: Tue, 28 Oct 2008 16:48:13 -0700
I'm not sure I get why they aren't simply using SSL throughout? Why not extend SSL to the entirety of the site? No convoluted language necessary. --Ken -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of David A. Gershman Sent: Tuesday, October 28, 2008 4:19 PM To: PaulDotCom Security Weekly Mailing List; pauldotcom at mail.pauldotcom.com Subject: Re: [Pauldotcom] SSL Encryption and HTML For the most part I agree. However, if they know people get a warm, fuzzy feeling at seeing the lock icon I don't understand why they don't just make the login page secure as well. Personally, I type bogus info and then click login. Sure I'll get an error message, but then the resulting page *and* the submission form (at least for my banks) are SSL. --David
Do you guys agree with the below statement? Although the login does not occur on a secure HTML page, the login is,
in
fact, secure. We have all been well trained on how to check for
security. We
all look down at our status bar at the bottom of the browser to make
sure
there is a little lock or key that assures us that everything is
secure
before we send anything. Well now there's a new rule to learn: data
can be
sent securely even if you don't see these icons of security. When you
fill
out an information form, or application, or login, etc. you are
filling out
information on one page and the information is being sent to a second
page.
We see the security icons when the page that collects the information
is
secure. The information can be sent securely if the collection page is
not
secure, but the page where the information is sent to is secure. This
is the
method we use on home page logins. If you want to assure yourself that
the
information you are sending is secure and you don't see a security
icon, you
can view the HTML source code. This may be intimidating for some, but
all
you have to do is search to find the word "action=." This will show
you the
location of the page that the information will be sent to. If you see "action='*https://...',*" you know that it is being sent securely. If
you see
"action='*http://',*" you know it is not secure. Information Encryption Your account information never travels the Internet without encryption protection. When you click on "login", we encrypt your Online Banking
ID and
password using Secure Sockets Layer (SSL) technology, the highest
level of
Internet security available. A secure connection is established before
your
ID and password are transmitted and maintained for the duration of
your
Online Banking session.
--------------- David A. Gershman gershman at dagertech.net http://dagertech.net/gershman/ "It's all about the path!" --d. gershman _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- SSL Encryption and HTML, (continued)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Nick Baronian (Oct 28)
- SSL Encryption and HTML matt donovan (Oct 28)
- SSL Encryption and HTML Paul Asadoorian (Oct 28)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Raffi Jamgotchian (Oct 28)
- SSL Encryption and HTML Oscar Koeroo (Oct 29)
- SSL Encryption and HTML Paul Asadoorian (Oct 29)
- SSL Encryption and HTML Jim Kelly (Oct 29)
- SSL Encryption and HTML James Costello (Oct 28)
- SSL Encryption and HTML Chris Frederick (Oct 29)
- SSL Encryption and HTML David A. Gershman (Oct 28)
- SSL Encryption and HTML Ken Asher (Oct 28)