I work at a bank, and I find this frustrating as well.
It is not secure from a phishing perspective - it's how the phishers
can make their "password reset" forms look realistic as you have an
implied trust of the (possibly) real page underneath.
Having a SSL based page one level deep is a good security idea and
I'm terribly frustrated with banks that don't do that. Luckily, the
place I work does this... but for a bad reason. The use a pop up to
hide the address bar for no good reason. Luckily, IE 7 prevents this
absolutely, so I'm absolutely chuffed. Thank you Microsoft! You
helped me win an argument. :)
thanks,
Andrew
On 19/05/2006, at 12:57 AM, wilson.amajohn@gmail.com wrote:
Hello all, my question is how can a form have a field that is
secure without using SSL. From my web programming experience I
cannot understand a Bank's claim that their login form is secure
when there is no SSL used. "Signing on to secure sites from an
unsecure page is a common industry practice" The POST data has to
get to the server if SSL is not used how can they claim it is
secure? I hope I have clarified my question enough
Thanks
John
----------------------------------------------------------------------
---
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application
security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing
suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?
id=701300000007t9c
----------------------------------------------------------------------
----
smime.p7s
Description: S/MIME cryptographic signature
