Re: Non SSL Bank Login Forms

[Andrew van der Stock <vanderaj () greebo net>]

I work at a bank, and I find this frustrating as well.

It is not secure from a phishing perspective - it's how the phishers  
can make their "password reset" forms look realistic as you have an  
implied trust of the (possibly) real page underneath.

Having a SSL based page one level deep is a good security idea and  
I'm terribly frustrated with banks that don't do that. Luckily, the  
place I work does this... but for a bad reason. The use a pop up to  
hide the address bar for no good reason. Luckily, IE 7 prevents this  
absolutely, so I'm absolutely chuffed. Thank you Microsoft! You  
helped me win an argument. :)

thanks,
Andrew

On 19/05/2006, at 12:57 AM, wilson.amajohn () gmail com wrote:

> Hello all, my question is how can a form have a field that is  
> secure without using SSL.  From my web programming experience I  
> cannot understand a Bank's claim that their login form is secure  
> when there is no SSL used.  "Signing on to secure sites from an  
> unsecure page is a common industry practice"  The POST data has to  
> get to the server if SSL is not used how can they claim it is  
> secure?  I hope I have clarified my question enough
>
> Thanks
>
> John
>
> ---------------------------------------------------------------------- 
> ---
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web application  
> security
> assessment by leading market research firm. Watchfire's AppScan is the
> industry's first and leading web application security testing  
> suite, and
> the only solution to provide comprehensive remediation tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx? 
> id=701300000007t9c
> ---------------------------------------------------------------------- 
> ----

Attachment: smime.p7s
Description: