I've been poking around various web sites and have noticed that major on-line services often fail to use SSL to protect their login pages. I'm not talking about sites where they don't need, or don't care enough to use SSL. I'm referring to major sites that use SSL, but only after you hit the Submit button. From a password security standpoint, this is sufficient. You don't actually need to protect the page that says "Type in your user name and password". It does not matter if hackers see that
page, as long as they cannot see your name and password when you submit it. At least it didn't used to matter.
The problem today is that phishing
has added some complexity to the security analysis of this situation. When phishers send out emails, they tell the victims that there's been some sort of problem, and they need to login to the web site to clear things up. They provide a link in the email which would normally take the victims to the real web site, but in the case of these attacks, they take the victim to a web site that is under the control of the phishers. These phishing emails and web sites are getting very good. It may not be possible to tell just by looking at the web page itself if it's your bank's web site, or the phisher's.
Why does this attack work?
In the early days of Netscape, we spent a lot of time and energy to train the press and customers that they should never
personal information into the browser unless they saw the lock icon. Long before the word "phishing" was coined, we knew bad people might do something which would be thwarted if users followed this advice. And it worked for quite some time. In fact, we had usability testing which showed that this training worked.
Sadly, things have changed. Many major companies have implemented their web sites so as to undo this user training. Users now have no way of knowing what's real and what's not real because their banks, travel agencies, and merchants have taught them through repeated experience that it's OK to type their account information and passwords into pages where there is no lock icon. And because in most cases, nothing bad happens, people got used to it.
It's really disturbing that so many of the biggest sites with the biggest brand names fail to put SSL on their login pages. In many ways, they have unwittingly created the environment that allows phishers to thrive.
In my next few posts, I'll explore the banking situation, some myths around SSL, and some best practices I'd like to see all financial institutions follow.