Three Out Of Four Banking Websites Have Serious Security Flaws - Study

Status
Not open for further replies.

SomeJoe7777

Distinguished
Apr 14, 2006
7
0
18,510
Just to be clear (and the FAQ on Atul Prakash's web page states this also), that any security system where the logon page is not SSL does not necessarily mean that the username/password is sent in clear text over the network, where anyone can snoop it.

Most of the time, if the logon page itself is not SSL, the postback that occurs when the user submits the username and password does use SSL. Thus, the username and password are protected.

Atul's point is that when the logon page is not SSL, it opens the site up to a phishing attack, because the logon page becomes easy to duplicate. With no SSL certificate to let the user know that they're on the legitimate site, the phishing site can be an exact replica.

It used to be very common to design sites this way, because if the the logon page uses SSL, then the entire page and associated graphics then all have to be delivered via SSL, which is computationally intensive and significantly reduces the number of simultaneous users that the web site can handle. Designing the site such that only the postback uses SSL reduces the computational load on the web server considerably.

Obviously, times have changed, both in terms of security and in available computational power, and there is no reason today that the entire site including the logon page cannot be delivered via SSL.
 

SomeJoe7777

Distinguished
Apr 14, 2006
7
0
18,510
Just to be clear (and the FAQ on Atul Prakash's web page states this also), that any security system where the logon page is not SSL does not necessarily mean that the username/password is sent in clear text over the network, where anyone can snoop it.

Most of the time, if the logon page itself is not SSL, the postback that occurs when the user submits the username and password does use SSL. Thus, the username and password are protected.

Atul's point is that when the logon page is not SSL, it opens the site up to a phishing attack, because the logon page becomes easy to duplicate. With no SSL certificate to let the user know that they're on the legitimate site, the phishing site can be an exact replica.

It used to be very common to design sites this way, because if the the logon page uses SSL, then the entire page and associated graphics then all have to be delivered via SSL, which is computationally intensive and significantly reduces the number of simultaneous users that the web site can handle. Designing the site such that only the postback uses SSL reduces the computational load on the web server considerably.

Obviously, times have changed, both in terms of security and in available computational power, and there is no reason today that the entire site including the logon page cannot be delivered via SSL.
 

SomeJoe7777

Distinguished
Apr 14, 2006
7
0
18,510
By the way, your commenting system is very messed up.

Attempting to submit a comment without logging in results in "An error occurred".

Submitting a comment after logging in just takes you to a "Page not found" after the submit, although the comment gets submitted anyway behind the scenes, but does not appear after the article.

Submitting a second time then results in a "Page not found" after the submit, and then both comments show up under the article.
 
I have to agree with some of the weak passwords and usernames. I hate it when a sight does not let me use letters, numbers and symbols with a length of 16 or more digits.

Conversely sights should allow any password whether it simply be "1" or "8015n*(&^%FDdahs^##%Hf246132bjweraihuio". Same goes with usernames I should be able to create a user name with any letters, numbers or symbols not just use my e-mail address.
 
Status
Not open for further replies.