Consider the Amir Herzberg Unprotected Login Hall of Shame. More specifically, this is the I-NFL (Inter-Net Fraud League) Hall of Shame, of which Amir Herzberg is "commissioner". However, as I can find no other references to the I-NFL other than this page (see google,) I'll just call it the "Amir list."
Anyway, here's my beef with this page. An interested party goes to this page, which has pictures of leading banking, payment, and commerce sites such as Amazon, PayPal, Chase, Bank of America, etc. under the heading "unprotected sites." Plus each site has in big red letters "this page is not protected" written across it (the output of the NetCraft tool). Pretty scary, right? This, coupled with the 24-pt heading "hall of shame" at the top of the page might lead one to infer (sarcasm intentional) that somehow the security of these sites is at issue. Oh my gosh! Time to panic, right? All these major sites! And they all have "shameful" security problems?!?! Holy *&%@!!!
Well, not so fast there buckarooney. Apparently, the "shame of being unprotected" that these sites bear has nothing to do with privacy of authentication data, authentication of the users, privacy of the account data, auditing features, security of facilities, backups, etc. In fact, the "shame" in question does not apply to anything that the majority of infosec practitioners or auditors would even consider a "security problem" per se. In point of fact, the "shameful" practice is that the login form is not SSL - note that the id/password submission is still SSL, it's just the preliminary submission form that's not.
According to Dr. H and the nebulous "Internet Fraud League," phishing is facilitated by the lack of SSL on the user ID form submission page. This is true from a certain point of view (and props to a true academic for pointing it out) but I think it totally misses the point of site security. Which is, there's more to a site's security than the logon form. CardSystems does not appear in the hall of shame, but Chase does. Which one would I trust with my account data nowadays? "Unprotected Login Hall of Shame" - maybe a qualifying adjective might help out there, Dr. H.
Posted by Ed at June 22, 2005 01:54 PM