[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] http://www.chase.com/ vulnerability

To: <gauntlet@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] http://www.chase.com/ vulnerability
From: "Perry E. Metzger" <perry@xxxxxxxxxxxx>
Date: Fri, 28 May 2004 15:30:17 -0400

<gauntlet@xxxxxxxxxxxx> writes:
> Many financial institutions do the same thing. 
>
> www.americanexpress.com:
>
> Security is important to everyone!
>
> Please be assured that, although the home page itself does not have an
> "https" URL, the login component of this page is secure. When you enter your
> User ID and password, your information is transmitted via a secure
> environment,

Except you have no way to know that without reading the html, since
someone could have intercepted and altered the form. Given how many
people can or will read the html, the assurances are completely false
and essentially constitute a way of training their customers to have
their accounts taken over in the future.

-- 
Perry E. Metzger                perry@xxxxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] Re: Linux Kernel sctp_setsockopt() Integer Overflow
Next by Date: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)
Previous by thread: Re: [Full-Disclosure] http://www.chase.com/ vulnerability
Next by thread: RE: [Full-Disclosure] http://www.chase.com/ vulnerability
Index(es):
- Date
- Thread