5/6 A lot of web sites now have a login snippet on their main page,
which forefox does not display a SSL icon
(http://www.bankofamerica.com Are those logins safe? You can
usually find a specific login page within the website that
have the SSL icon. I assume bank sites are usually safe in
their design, but what about sites like
http://www.officedepot.com Some sites's login page
(http://www.bookpool.com/ac does not have a SSL icon, but
their login button specifically says "secure login", how does
it work? As an end user, how can one be sure the login/pw
information is encrypted while in transit?
\_ It's usually good practice to put the login page under SSL to
preempt concerns like yours. Many places don't have a login box
on their front page, and make you click through to an https link
to get a login box. Others put the login box on their front
page to save you that step, but the load of putting their front
page under SSL is prohibitive. If they say it's a secure login,
the HTTP Post that sends your information will be under ssl. If
you want to test this, put in a bogus login/password and watch it
jump to SSL when you click "login".
\_ For verification:
http://www.bankofamerica.com/signin/security_details_popup.cfm
\_ So you have to 'observe' the flashing by of the SSL icon
to distinguish these sites from sites that indeed uses
no security. I guess a better question is, how do you
tell if the HTTP post used to send your login
information is under SSL?
\_ Best course of action: don't worry about it. if someone's
really intent on stealing your info, there are easier ways
to do it. There are non-technical ways to protect yourself
better. keep an eye on your account activity. get your
annual credit check (or more frequently if you're worried).
SSL is no guarantee no matter how Verisign wants to package
it.
\_ I find security policy varies significantly
between sites. Your password can be as strong as
you like, but often times the "I lost my password"
feature is typically implemented with very little
security in mind. Better sites will allow you to
reset your password after you verified who you are
(via secret questions, etc), never revealing what
your actual password was. But some no so security
conscious sites will simply email your password in
plain text, and sometimes all you have to do is to
provide your email address. Some sites will also
reset your password with only the email address.
You can only guess how careful those sites will
treat your data (such as credit card info).. I am
trying to sort out the sites that have my login
information so that the lesser secure sites do not
share the same password as the more
secure/important sites...
\_ The guy I spoke to said it used to be configurable but was
taken out. If I turn any of my URLs into https, it stays
https, including turning all the links into ssl, but I know
of several people where it redirects to http. No clue why
it varies. -John
\_ The only way to be sure is to look at the source and see
how it's posting the login. But even then, you won't know
for sure that the authentication server is using weak
encryption.
\_ What's pretty funny is that gmail defaults back to http when you've
logged in, and they seem to have removed the setting the security
guy I mentioned which lets you set ssl for all mail access. -John
\_ My gmail still stays https and always has. I know yahoo
switches back to http after login.
\_ The guy I spoke to said it used to be configurable but was
taken out. If I turn any of my URLs into https, it stays
https, including turning all the links into ssl, but I know
of several people where it redirects to http. No clue why
it varies. -John
\_ You're right. I just never noticed it, because my
bookmark specified https. Thanks for the tip. |
http://csua.com/feed/