Two locks must be extra secure
Here is a screen shot of a popular online financial institution. It's a little bit wide, because I wanted to ensure that you could see the entire location bar.
Take a look. Notice that this site boasts not just one "secure lock" icon, but two! This login form must be extra secure!
Not much else to say on this, but it drives me nuts that the login forms presented by financial institutions are not presented over SSL -- and this site isn't the only one. In this day and age, it's not prohibitavely expense to just shunt everyone over to SSL when they're supposedly performing secure transactions.
Take a look. Notice that this site boasts not just one "secure lock" icon, but two! This login form must be extra secure!
Not much else to say on this, but it drives me nuts that the login forms presented by financial institutions are not presented over SSL -- and this site isn't the only one. In this day and age, it's not prohibitavely expense to just shunt everyone over to SSL when they're supposedly performing secure transactions.
posted by todb at 3:08 PM
3 Comments:
Que debo descargar para checar mi pc?. Escuche solo el final en el programa de radio.
I'd sure hope the submission form itself is presented secure though. The login form does not need to be secure if the form is posted using SSL (i.e., <form action="https://...) although a non-SSL login form would raise my suspicions of a phishing attack. Technically though no information would be transmitted over the non-encrypted channel as long as the form posts to SSL, even if the HTML for the form is transferred to the client using a non-encrypted connection. Information going the other way would be encrypted.
George -- that's the thing that drives me nuts, though. There's no way to tell if the POST is going to be all SSLified without either sending it and waiting for the popup that says "This information is being sent in the clear, are you sure?" (which everyone turns off the moment they go to Google, of course), or looking at the source (and hoping that you can decrypt whatever funky web 2.0 way they have for submitting input data). Anyway, the point is, the form itself as well as the resulting POST should be presented under the auspices of SSL, so you can be guaranteed that the form comes from some verifiable entity, and hasn't been tampered with in transit.
Post a Comment
Links to this post:
Create a Link
<< Home