Andrew van der Stock wrote:
Depends on the value of the system in use.
...
OTOH, where the login leads to private data, such as your name and
address, I feel that corporations have a duty of care to protect your
data under the various privacy acts around the world. The cost of a
certificate is much less than potential litigation, or more to the
point, reputation loss if someone discovers a way around it.
I agree, and indeed, my focus in on really sensitive sites esp. banks.
So it seems we are in agreement. I think most (or all??) security
experts really agree here, but since some of the companies object, I am
interested to see if there are some serious defenses of the unprotected
login practice.
However, if it's a shopping cart type of thing, like Amazon, the thing
that should be SSL is not the browsing of goods, but the transactions,
particularly the credit card and address details.
Agreed...
The Visa/MC PCI
guidelines are quite stringent on applying reasonable controls to this
data.
Well, actually, I've worked with the card people a lot but am not aware
of a specific requirement to use SSL to protect the form sent to the
consumer and not just to protect the CC# in transit. Do you know? If you
can give me some reference, I'll appreciate. I can also ask my
contacts. I am very interested, as one of the companies which uses
unprotected login is Amex, and in fact we had a long argument with them
on these questions...
In the case of Amazon 1-click, then effectively the 1-click is
the thing requiring protection, so some form of control around that is
also required.
Well, it is unfortunate that the 1-click login in Amazon is unprotected,
see http://AmirHerzberg.com/shame.html...
<skip>
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
