Guest metspitzer Posted October 5, 2008 Posted October 5, 2008 https://www.wachovia.com/ I am used to looking for the lock in IE to show that the page is secure. Wachovia doesn't have one on their home page. Are there other methods to assure me that the page is secure? Couldn't someone copy the page and open a site called wachova or somethig close and catch people that can't spell logging into the wrong page? Quote
Guest Anne & Lynn Wheeler Posted October 5, 2008 Posted October 5, 2008 metspitzer <metspitzer@gmail.com> writes:<span style="color:blue"> > https://www.wachovia.com/ > > I am used to looking for the lock in IE to show that the page is > secure. Wachovia doesn't have one on their home page. > > Are there other methods to assure me that the page is secure? > Couldn't someone copy the page and open a site called wachova or > somethig close and catch people that can't spell logging into the > wrong page?</span> we had been called in to consult with this small client/server startup that wanted to do payment transactions on their servers and they had this technology called SSL that they wanted to use ... part of that deployment included something called payment gateway ... misc. past posts http://www.garlic.com/~lynn/subnetwork.html#gateway and is now frequently called "electronic commerce". Part of that effort was specifying part of the end-to-end of how SSL would be used and also doing detailed audits of some of these new things calling themselves certification authorities. part of SSL was countermeasure to some perceived weaknesses in the domain name infrastructure ... which would provide that the server that the person thought they were talking to was in fact the web server they were talking to. this required that the person understand the relationship between the webserver they thought they were talking to and the corresponding URL. The browser SSL implementation then verified the relationship between the URL (used by the browser) and the corresponding server. Almost immediately, majority of the deployed servers discovered that the use of SSL cut their thruput by 85-95 percent ... and so most of them dropped back to only using SSL for checkout/payment portion of the "electronic commerce" experience. Consumers were condition to clicking on a button (in a non-SSL page) which provided the URL to the browser. The browser then would (simply) confirm that the server that the server claimed to be, was the server that it was (as opposed to the server that the person thought they were talking to, was the server they were talking to) ... aka it would take a really dumb fraudulent server to obtain a SSL certificate that didn't correspond to the server URL it was using. This conditioning to accept "click button" URLs, has significantly contributed to current epidemic of phishing and identity theft. for a little more topic drift, misc. past posts mentioning SSL domain name certification http://www.garlic.com/~lynn/subpubkey.html#sslcerts -- 40+yrs virtualization experience (since Jan68), online at home since Mar70 Quote
Guest John McGaw Posted October 5, 2008 Posted October 5, 2008 metspitzer wrote:<span style="color:blue"> > https://www.wachovia.com/ > > I am used to looking for the lock in IE to show that the page is > secure. Wachovia doesn't have one on their home page. > > Are there other methods to assure me that the page is secure? > Couldn't someone copy the page and open a site called wachova or > somethig close and catch people that can't spell logging into the > wrong page? > </span> Probably IE is simply not warning you about what is going on. If you try opening the subject page using FireFox 3 the warning "You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party." is displayed and must be dismissed before you can proceed. I would hope that among the encrypted items is the login information and that once you do log in it will be to a totally https portion of their site. I'm not a customer so I can try it. As for your questions: probably you should be complaining to your bank about their website practices which make guesses about security (that is what it comes down to, really) more difficult. Yes, that is common typo-squatting combined with phishing. John McGaw http://johnmcgaw.com Quote
Guest VanguardLH Posted October 5, 2008 Posted October 5, 2008 Anne & Lynn Wheeler wrote: <span style="color:blue"> > metspitzer <metspitzer@gmail.com> writes:<span style="color:green"> >> https://www.wachovia.com/ >> >> I am used to looking for the lock in IE to show that the page is >> secure. Wachovia doesn't have one on their home page. >> >> Are there other methods to assure me that the page is secure? >> Couldn't someone copy the page and open a site called wachova or >> somethig close and catch people that can't spell logging into the >> wrong page?</span> > > we had been called in to consult with this small client/server startup > that wanted to do payment transactions on their servers and they had</span> <snip - unrelated response> When you hear the alarm ring, it's telling you that it is time to take your meds. Do so. You might then be able to stay in touch with reality. Quote
Guest VanguardLH Posted October 5, 2008 Posted October 5, 2008 metspitzer wrote: <span style="color:blue"> > https://www.wachovia.com/ > > I am used to looking for the lock in IE to show that the page is > secure. Wachovia doesn't have one on their home page. > > Are there other methods to assure me that the page is secure? > Couldn't someone copy the page and open a site called wachova or > somethig close and catch people that can't spell logging into the > wrong page?</span> <form method="post" action="https://onlineservices.wachovia.com/auth/AuthService" The above is the action when you submit your login credentials. SSL has heavy demands so many sites don't use it unless and when it is needed. You might not login on their home page so they don't want to waste the resources on establishing an SSL connect when it isn't needed. When you submit your login credentials, they send it to an HTTPS page which means an SSL connect must be established before the connect can complete. So your login credentials are sent secured. They don't need to encrypt their home page that they send out. They only need to encrypt your login credentials that you send in. Was there a reason you didn't contact them about your concern? Quote
Guest PA Bear [MS MVP] Posted October 5, 2008 Posted October 5, 2008 Does the "lock" show after you've logged-in? -- ~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ metspitzer wrote:<span style="color:blue"> > https://www.wachovia.com/ > > I am used to looking for the lock in IE to show that the page is > secure. Wachovia doesn't have one on their home page. > > Are there other methods to assure me that the page is secure? > Couldn't someone copy the page and open a site called wachova or > somethig close and catch people that can't spell logging into the > wrong page?</span> Quote
Guest Anne & Lynn Wheeler Posted October 5, 2008 Posted October 5, 2008 re: http://www.garlic.com/~lynn/2008n.html#96 Wachovia Bank web site i.e. SSL was to provide both 1) is the website you think you are talking to really the web site you are talking to (countermeasures to some perceived weaknesses in domain name infrastructure and various kind of hijacking/impersonation vulnerabilities) and 2) hiding/encrypting information (countermeasure to various kinds of evesdropping vulnerabilities) #1 required that the user understands the relationship between the website they believe they are talking to and the corresponding URL .... since the only thing that the browser SSL implementation did is to verify that the provided domain name verified by all the SSL magic matched the SSL in the URL. In numerous of the current uses ... rather than the user providing the actual URL ... the server is providing the actual URL (and corresponding domain name) ... frequently in various obfuscated ways that the user may not even be aware of. Phishers, scamming, as well as various kinds of man-in-the-middle attacks have been able to take advantage of this increasing disconnect .... where there may be a perfectly valid SSL operation performed ... and the information has been guarenteed to be encrypted during transmission .... but the user may never actually see the URL verified by the SSL operation (and so doesn't actually know where the information is going to). if you look at the raw page source .... it turns out that there is a https URL used to transmit the information <form method="post" action="https://onlineservices.wachovia.com/auth/AuthService" name="uidAuthForm" id="uidAuthForm" onsubmit="return submitLogin(this)"> but there are few users in the world that know enough to understand what is going on. There have been lots of studies that show that such tricks by reputable instituations, condition normal users to be tolerant of implementation tricks by bogus websites i.e. rather than simple straight-forward black/white ... there is a lot of gray and complexity introduced, which majority of users aren't going to understand. -- 40+yrs virtualization experience (since Jan68), online at home since Mar70 Quote
Guest metspitzer Posted October 5, 2008 Posted October 5, 2008 On Oct 5, 4:35 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:<span style="color:blue"> > Does the "lock" show after you've logged-in? > --</span> The lock does show up after I log in. That is, after I have furnished my username/password. Quote
Guest PA Bear [MS MVP] Posted October 5, 2008 Posted October 5, 2008 You're OK then. metspitzer wrote:<span style="color:blue"> > On Oct 5, 4:35 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:<span style="color:green"> >> Does the "lock" show after you've logged-in? >> --</span> > > The lock does show up after I log in. That is, after I have furnished > my username/password.</span> Quote
Guest S. Pidgorny Posted October 6, 2008 Posted October 6, 2008 Generally, that's not the case: if submitting credentials gets you to a secure page, that doesn't mean the credentials were encrypted. In case of Wachovia though the credentials are secure. IE has "Submit non-encrypted form data" security setting to control the related behaviour. -- Svyatoslav Pidgorny, MCSE, RHCE -= F1 is the key =- http://sl.mvps.org http://msmvps.com/blogs/sp PA Bear [MS MVP] wrote:<span style="color:blue"> > You're OK then. > > metspitzer wrote:<span style="color:green"> >> On Oct 5, 4:35 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:<span style="color:darkred"> >>> Does the "lock" show after you've logged-in? >>> -- </span> >> >> The lock does show up after I log in. That is, after I have furnished >> my username/password.</span></span> Quote
Guest Anne & Lynn Wheeler Posted October 6, 2008 Posted October 6, 2008 re: http://www.garlic.com/~lynn/2008n.html#96 Wachovia Bank web site http://www.garlic.com/~lynn/2008n.html#100 Wachovia Bank web site recent article from this morning: Browser Security UI: the horns of the dilemma https://financialcryptography.com/mt/archives/001050.html which references ("ISPs doing MITMs on their customers"): http://blog.wired.com/27bstroke6/2008/04/i...error-page.html and example: http://www.sslshopper.com/article-phishing...ertificates.htm in all this description ... CAs are actually "certification authorities" .... i.e. they are certifying information. Frequently this has been twisted to "certificate authorities" ... because of the frequent focus on selling digital certificates (which is just a representation of the information that they are certifying). -- 40+yrs virtualization experience (since Jan68), online at home since Mar70 Quote
Guest PA Bear [MS MVP] Posted October 6, 2008 Posted October 6, 2008 You do not have to submit anything to reach https://www.wachovia.com/ and there is nothing "dangerous" on the page (if you've not logged-in). S. Pidgorny wrote:<span style="color:blue"> > Generally, that's not the case: if submitting credentials gets you to a > secure page, that doesn't mean the credentials were encrypted. > > In case of Wachovia though the credentials are secure. > > IE has "Submit non-encrypted form data" security setting to control the > related behaviour. > > > PA Bear [MS MVP] wrote:<span style="color:green"> >> You're OK then. >> >> metspitzer wrote:<span style="color:darkred"> >>> On Oct 5, 4:35 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote: >>>> Does the "lock" show after you've logged-in? >>>> -- >>> >>> The lock does show up after I log in. That is, after I have furnished >>> my username/password. </span></span></span> Quote
Guest metspitzer Posted October 7, 2008 Posted October 7, 2008 On Oct 6, 12:05 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:<span style="color:blue"> > You do not have to submit anything to reachhttps://www.wachovia.com/and > there is nothing "dangerous" on the page (if you've not logged-in). ></span> How does one know the web page is secure before entering the personal information if there is no "lock" in the browser? I do know it is secure because I use it, but there is nothing about the page that gives you that secure feeling. Quote
Guest Frank Saunders MS-MVP IE,OE/WM Posted October 7, 2008 Posted October 7, 2008 "metspitzer" <metspitzer@gmail.com> wrote in message news:64af8d71-266d-4d3d-948a-ef320065a35a@o40g2000prn.googlegroups.com...<span style="color:blue"> > On Oct 6, 12:05 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:<span style="color:green"> >> You do not have to submit anything to reachhttps://www.wachovia.com/and >> there is nothing "dangerous" on the page (if you've not logged-in). >></span> > How does one know the web page is secure before entering the personal > information if there is no "lock" in the browser? > > I do know it is secure because I use it, but there is nothing about > the page that gives you that secure feeling. > > ></span> Yes there is. In order to tell you where we need to know your IE version. -- Frank Saunders MS-MVP IE,OE/WM Do not reply with email Quote
Guest PA Bear [MS MVP] Posted October 8, 2008 Posted October 8, 2008 Frank Saunders MS-MVP IE,OE/WM wrote:<span style="color:blue"> > "metspitzer" <metspitzer@gmail.com> wrote in message > news:64af8d71-266d-4d3d-948a-ef320065a35a@o40g2000prn.googlegroups.com...<span style="color:green"> >> On Oct 6, 12:05 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:<span style="color:darkred"> >>> You do not have to submit anything to reachhttps://www.wachovia.com/and >>> there is nothing "dangerous" on the page (if you've not logged-in). >>> </span> >> How does one know the web page is secure before entering the personal >> information if there is no "lock" in the browser? >> >> I do know it is secure because I use it, but there is nothing about >> the page that gives you that secure feeling. >> </span> > Yes there is. > In order to tell you where we need to know your IE version.</span> The full Windows version (e.g., WinXP SP3; Vista SP1) wouldn't hurt either. -- ~PA Bear Quote
Guest PA Bear [MS MVP] Posted October 8, 2008 Posted October 8, 2008 metspitzer wrote:<span style="color:blue"> > On Oct 6, 12:05 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:<span style="color:green"> >> You do not have to submit anything to reachhttps://www.wachovia.com/and >> there is nothing "dangerous" on the page (if you've not logged-in).</span> > > How does one know the web page is secure before entering the personal > information if there is no "lock" in the browser? > > I do know it is secure because I use it, but there is nothing about > the page that gives you that secure feeling.</span> You took my post out of context: I was replying to Svyatoslav's post, not yours. If you have issues with https://www.wachovia.com, you could take it up with Wachovia...or whatever bank eventually ends up owning it after the nuclear fallout settles (cf. http://www.sfgate.com/cgi-bin/article.cgi?.../BUHR13D3OJ.DTL). Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.