Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Banks use non-ssl login forms.

Published: 2006-04-19
Last Updated: 2006-04-19 21:08:55 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
This is a bit an old issue I am having, but it seems to be getting worse and not better: Bank that use non-SSL login pages.

Now this is not about sending your credentials in the clear. The bank essentially uses a non-ssl "home page" which includes a login form, but the result of the login form is sent encrypted to an SSL page (e.g. you got to http://www.example.com, and the login form will submit your data to https:/www.example.com). Now why is this so bad, given that your login data is still encrypted? Well, there are two reasons for SSL: The first is to encrypt your data (which happens in this case). The second, as important function of SSL is authentication. A valid SSL connection confirms that you are actually talking to your bank, and that the login form is "real".

With the help of some handlers, we checked out a number of major banks. You can see the result at https://www.securewebbank.com/loginssluse.html . (I will gladdly add more to the list if time allows. If you want to submit any, please let me know the URL of the login page so I can verify).

Another problem, in particular with smaller banks, is the use of "brochure" pages on non-ssl (in many cases even shared servers) that link to an online banking site at a very different domain. Still working on collecting some data about this.


Keywords:
0 comment(s)
Diary Archives