Perry E. Metzger wrote:
Have a look, for example, at
http://www.americanexpress.com/
which encourages users to type in their credentials, in the clear,
into a form that came from lord knows where and sends the information
lord knows where. Spoof the site, and who would notice?
Every company should be telling its users never to type in their
credentials on a web page downloaded in the clear, but American
Express and lots of other companies train their users to get raped,
and why do they do it? Not because they made some high level decision
to screw their users. Not because they can't afford to do things
right. It happens because some idiot web designer thought it was a
nice look, and their security people are too ignorant or too powerless
to stop it, that's why.
Why is it bad for the page to be downloaded clear? What matters is the
destination is encrypted, surely?
Which, as it happens, it is on the above site.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
