I work at a bank, and I find this frustrating as well.
It is not secure from a phishing perspective - it's how the phishers
can make their "password reset" forms look realistic as you have an
implied trust of the (possibly) real page underneath.
Having a SSL based page one level deep is a good security idea and
I'm terribly frustrated with banks that don't do that. Luckily, the
place I work does this... but for a bad reason. The use a pop up to
hide the address bar for no good reason. Luckily, IE 7 prevents this
absolutely, so I'm absolutely chuffed. Thank you Microsoft! You
helped me win an argument. :)
thanks,
Andrew
On 19/05/2006, at 12:57 AM, wilson.amajohn_at_gmail.com wrote:
> Hello all, my question is how can a form have a field that is
> secure without using SSL. From my web programming experience I
> cannot understand a Bank's claim that their login form is secure
> when there is no SSL used. "Signing on to secure sites from an
> unsecure page is a common industry practice" The POST data has to
> get to the server if SSL is not used how can they claim it is
> secure? I hope I have clarified my question enough
>
> Thanks
>
> John
>
> ----------------------------------------------------------------------
> ---
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web application
> security
> assessment by leading market research firm. Watchfire's AppScan is the
> industry's first and leading web application security testing
> suite, and
> the only solution to provide comprehensive remediation tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?
> id=701300000007t9c
> ----------------------------------------------------------------------
> ----
>
>
- application/pkcs7-signature attachment: smime_p7s
Received on May 18 2006
Intro
