Last Updated: 2006-04-19 21:08:55 UTC
by Johannes Ullrich (Version: 1)
Now this is not about sending your credentials in the clear. The bank essentially uses a non-ssl "home page" which includes a login form, but the result of the login form is sent encrypted to an SSL page (e.g. you got to http://www.example.com, and the login form will submit your data to https:/www.example.com). Now why is this so bad, given that your login data is still encrypted? Well, there are two reasons for SSL: The first is to encrypt your data (which happens in this case). The second, as important function of SSL is authentication. A valid SSL connection confirms that you are actually talking to your bank, and that the login form is "real".
With the help of some handlers, we checked out a number of major banks. You can see the result at https://www.securewebbank.com/loginssluse.html . (I will gladdly add more to the list if time allows. If you want to submit any, please let me know the URL of the login page so I can verify).
Another problem, in particular with smaller banks, is the use of "brochure" pages on non-ssl (in many cases even shared servers) that link to an online banking site at a very different domain. Still working on collecting some data about this.