Berkeley CSUA MOTD:Entry 37555
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2017/10/16 [General] UID:1000 Activity:popular
10/16   

2005/5/6-8 [Computer/SW/Security, Computer/SW/Unix] UID:37555 Activity:nil
5/6     A lot of web sites now have a login snippet on their main page,
        which forefox does not display a SSL icon
        (http://www.bankofamerica.com Are those logins safe? You can
        usually find a specific login page within the website that
        have the SSL icon. I assume bank sites are usually safe in
        their design, but what about sites like
        http://www.officedepot.com Some sites's login page
        (http://www.bookpool.com/ac does not have a SSL icon, but
        their login button specifically says "secure login", how does
        it work? As an end user, how can one be sure the login/pw
        information is encrypted while in transit?
        \_ It's usually good practice to put the login page under SSL to
           preempt concerns like yours.  Many places don't have a login box
           on their front page, and make you click through to an https link
           to get a login box.  Others put the login box on their front
           page to save you that step, but the load of putting their front
           page under SSL is prohibitive.  If they say it's a secure login,
           the HTTP Post that sends your information will be under ssl.  If
           you want to test this, put in a bogus login/password and watch it
           jump to SSL when you click "login".
           \_ For verification:
              http://www.bankofamerica.com/signin/security_details_popup.cfm
           \_ So you have to 'observe' the flashing by of the SSL icon
              to distinguish these sites from sites that indeed uses
              no security. I guess a better question is, how do you
              tell if the HTTP post used to send your login
              information is under SSL?
              \_ Best course of action: don't worry about it.  if someone's
                 really intent on stealing your info, there are easier ways
                 to do it.  There are non-technical ways to protect yourself
                 better.  keep an eye on your account activity.  get your
                 annual credit check (or more frequently if you're worried).
                 SSL is no guarantee no matter how Verisign wants to package
                 it.
                 \_ I find security policy varies significantly
                    between sites. Your password can be as strong as
                    you like, but often times the "I lost my password"
                    feature is typically implemented with very little
                    security in mind. Better sites will allow you to
                    reset your password after you verified who you are
                    (via secret questions, etc), never revealing what
                    your actual password was. But some no so security
                    conscious sites will simply email your password in
                    plain text, and sometimes all you have to do is to
                    provide your email address.  Some sites will also
                    reset your password with only the email address.
                    You can only guess how careful those sites will
                    treat your data (such as credit card info).. I am
                    trying to sort out the sites that have my login
                    information so that the lesser secure sites do not
                    share the same password as the more
                    secure/important sites...
              \_ The guy I spoke to said it used to be configurable but was
                 taken out.  If I turn any of my URLs into https, it stays
                 https, including turning all the links into ssl, but I know
                 of several people where it redirects to http.  No clue why
                 it varies.  -John
              \_ The only way to be sure is to look at the source and see
                 how it's posting the login.  But even then, you won't know
                 for sure that the authentication server is using weak
                 encryption.
        \_ What's pretty funny is that gmail defaults back to http when you've
           logged in, and they seem to have removed the setting the security
           guy I mentioned which lets you set ssl for all mail access.  -John
           \_ My gmail still stays https and always has.  I know yahoo
              switches back to http after login.
              \_ The guy I spoke to said it used to be configurable but was
                 taken out.  If I turn any of my URLs into https, it stays
                 https, including turning all the links into ssl, but I know
                 of several people where it redirects to http.  No clue why
                 it varies.  -John
                 \_ You're right.  I just never noticed it, because my
                    bookmark specified https.  Thanks for the tip.
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2017/10/16 [General] UID:1000 Activity:popular
10/16   

You may also be interested in these entries...
2013/10/24-11/21 [Computer/Companies/Apple] UID:54747 Activity:nil
9/19    "No, A Severed Finger Will Not Be Able to Access a Stolen iPhone 5S"
        http://mashable.com/2013/09/15/severed-finger-iphone-5s
        I'm sure the Apple QA department has tested extensively that a severed
        finger will not be able to access a stolen iPhone 5S.
        \_ It doesn't matter whether or not a severed finger can be used.  It
           matters whether or not a robber thinks that a severed finger can be
	...
2013/6/6-7/31 [Politics/Foreign/Asia/China, Computer/SW/Security] UID:54690 Activity:nil
6/6     Wow, NSA rocks. Who would have thought they had access to major
        data exchangers? I have much more respect for government workers,
        crypto experts, mathematicans now than ever.
        \_ flea to Hong Kong --> best dim-sum in the world
           \_ "flee"
        \_ The dumb ones work for DMV, the smart ones for the NSA. If you
	...
2012/8/26-11/7 [Computer/SW/Security] UID:54465 Activity:nil
8/26    Poll: how many of you pub/priv key users: 1) use private keys that
        are not password protected 2) password protect your private keys
        but don't use ssh-agent 3) use ssh-agent:
        1) .
        2) ..
        3) ...
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/8/7-10/17 [Computer/SW/Security] UID:54455 Activity:nil
8/6     Amazon and Apple have lame security policies:
        http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all
        "First you call Amazon and tell them you are the account holder, and
         want to add a credit card number to the account. All you need is the
         name on the account, an associated e-mail address, and the billing
         address. "
	...
2012/7/13-8/19 [Computer/Companies/Yahoo, Computer/SW/Security] UID:54436 Activity:nil
7/13    Why would Yahoo store passwords unencrypted?  I recall that even 20+
        years ago the passwords stored in /etc/passwd on instructional
        machines here at Cal were one-way encrypted.  (I think those were
        Ultrix machines.)
        \_ Doesn't this say anything already?
           http://finance.yahoo.com/echarts?s=YHOO+Interactive#symbol=yhoo;range=5y
	...
2013/10/24-2014/2/5 [Academia/Berkeley/CSUA/Motd, Computer/SW] UID:54746 Activity:nil
9/26    I remember there was web version of the motd with search function
        (originally due to kchang ?).  The last time I used it it was hosted
        on the csua website but I can't remember its url (onset of dementia?)
        now. Can somebody plz post it, tnx.
        \_ http://csua.com
           \_ for some reason I couldn't log in since Sept and the archiver
	...
2013/10/28-2014/2/5 [Computer/SW/Database] UID:54751 Activity:nil
10/28   Oracle software to blame for Obamacare website debacles:
        http://www.forbes.com/sites/theapothecary/2013/10/14/obamacares-website-is-crashing-because-it-doesnt-want-you-to-know-health-plans-true-costs
        \_ Larry Ellison is a secret Tea Party supporter.
           Most of this article is bunk, btw. Boy are the Republicans
           getting desperate.
            \_ Umm, no.  Larry Ellison is a not so secret fascist.
	...
2013/12/13-2014/2/5 [Computer/SW/Languages/Web] UID:54757 Activity:nil
12/17   http://axonflux.com/5-quotes-by-the-creator-of-php-rasmus-lerdorf
        Why I love PHP.
12/17
 _________________________________________
/ You will pay for your sins. If you have \
| already paid, please disregard this     |
	...
Cache (403 bytes)
www.bankofamerica.com
Personal - Solutions for individuals, from checking accounts to loans and credit cards. Corporate & Institutional - For institutions and businesses with sales of $10 million or more. Save time and get better control of your finances - all in one place. Get more from your home for less with a competitive home equity line. Link open s Equal Housing Lender pop-up window 2005 Bank of America Corporation.
Cache (112 bytes)
www.officedepot.com
Prices are subject to change based on your order and delivery location and the applicable retail store location.
Cache (237 bytes)
www.bookpool.com/ac
I am a New Customer: Email Address: New Password: Re-enter Password: Password must be 5 or more characters. Create Account (Secure Server) Continue the ordering process by creating an account with your shipping a ddress and payment info.
Cache (1065 bytes)
www.bankofamerica.com/signin/security_details_popup.cfm
Return to previous page Secure home page sign in Ensuring the security of your personal information online is a top priori ty for us. When you sign in to Online Banking on our home page, your ID and passcode are secure. The moment you click Sign In and before your ID and passcode leave your c omputer, we encrypt them using Secure Sockets Layer (SSL) technology. Th at means only Bank of America has access to your ID and passcode. Browser security indicators You may notice when you are on our home page that some familiar indicator s do not appear in your browser to confirm the entire page is secure. Th ose indicators include the small "lock" icon in the bottom right corner of the browser frame and the "s" in the Web address bar (for example, "h ttps"). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Again, please be assured that your ID and passcode are secure and that only Bank of America has a ccess to them.