SSL Encryption and HTML

[ken.asher at docusign.com (Ken Asher)]

I'm not sure I get why they aren't simply using SSL throughout?  Why not
extend SSL to the entirety of the site?

No convoluted language necessary.

--Ken

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of David A.
Gershman
Sent: Tuesday, October 28, 2008 4:19 PM
To: PaulDotCom Security Weekly Mailing List;
pauldotcom at mail.pauldotcom.com
Subject: Re: [Pauldotcom] SSL Encryption and HTML


For the most part I agree.  However, if they know people get a warm,
fuzzy feeling at seeing the lock icon I don't understand why they don't
just make the login page secure as well.

Personally, I type bogus info and then click login.  Sure I'll get an
error message, but then the resulting page *and* the submission form (at
least for my banks) are SSL.

--David

> Do you guys agree with the below statement?
>
> Although the login does not occur on a secure HTML page, the login is,
in
> fact, secure. We have all been well trained on how to check for
security. We
> all look down at our status bar at the bottom of the browser to make
sure
> there is a little lock or key that assures us that everything is
secure
> before we send anything. Well now there's a new rule to learn: data
can be
> sent securely even if you don't see these icons of security. When you
fill
> out an information form, or application, or login, etc. you are
filling out
> information on one page and the information is being sent to a second
page.
> We see the security icons when the page that collects the information
is
> secure. The information can be sent securely if the collection page is
not
> secure, but the page where the information is sent to is secure. This
is the
> method we use on home page logins. If you want to assure yourself that
the
> information you are sending is secure and you don't see a security
icon, you
> can view the HTML source code. This may be intimidating for some, but
all
> you have to do is search to find the word "action=." This will show
you the
> location of the page that the information will be sent to. If you see
> "action='*https://...',*"; you know that it is being sent securely. If
you see
> "action='*http://',*"; you know it is not secure.
> Information Encryption
>
> Your account information never travels the Internet without encryption
> protection. When you click on "login", we encrypt your Online Banking
ID and
> password using Secure Sockets Layer (SSL) technology, the highest
level of
> Internet security available. A secure connection is established before
your
> ID and password are transmitted and maintained for the duration of
your
> Online Banking session.

---------------
David A. Gershman
gershman at dagertech.net
http://dagertech.net/gershman/
"It's all about the path!" --d. gershman
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com