WebApp Sec mailing list archives
Re: Non SSL Bank Login Forms
From: Andrew van der Stock <vanderaj () greebo net>
Date: Fri, 19 May 2006 15:18:51 +1000
I work at a bank, and I find this frustrating as well.It is not secure from a phishing perspective - it's how the phishers can make their "password reset" forms look realistic as you have an implied trust of the (possibly) real page underneath.
Having a SSL based page one level deep is a good security idea and I'm terribly frustrated with banks that don't do that. Luckily, the place I work does this... but for a bad reason. The use a pop up to hide the address bar for no good reason. Luckily, IE 7 prevents this absolutely, so I'm absolutely chuffed. Thank you Microsoft! You helped me win an argument. :)
thanks, Andrew On 19/05/2006, at 12:57 AM, wilson.amajohn () gmail com wrote:
Hello all, my question is how can a form have a field that is secure without using SSL. From my web programming experience I cannot understand a Bank's claim that their login form is secure when there is no SSL used. "Signing on to secure sites from an unsecure page is a common industry practice" The POST data has to get to the server if SSL is not used how can they claim it is secure? I hope I have clarified my question enoughThanks John---------------------------------------------------------------------- ---Sponsored by: WatchfireWatchfire named worldwide market share leader in web application securityassessment by leading market research firm. Watchfire's AppScan is theindustry's first and leading web application security testing suite, andthe only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!https://www.watchfire.com/securearea/appscansix.aspx? id=701300000007t9c ---------------------------------------------------------------------- ----
Attachment:
smime.p7s
Description:
Current thread:
- Non SSL Bank Login Forms wilson . amajohn (May 18)
- Re: Non SSL Bank Login Forms Wil Clouser (May 18)
- Message not available
- Fwd: Non SSL Bank Login Forms John Kennedy (May 18)
- Message not available
- Message not available
- Fwd: Non SSL Bank Login Forms John Kennedy (May 18)
- Re: Non SSL Bank Login Forms Wil Clouser (May 18)
- Re: Non SSL Bank Login Forms Adam Tuliper (May 19)
- http/spnego connections Adam Tuliper (May 19)
- Re: http/spnego connections Saqib Ali (May 19)
- Re: http/spnego connections Adam Tuliper (May 19)
- Re: http/spnego connections Adam Tuliper (May 19)
- Re: Non SSL Bank Login Forms Don Jackson (May 19)
- <Possible follow-ups>
- RE: Non SSL Bank Login Forms James Strassburg (May 19)