Banks and SSL forms

I just knew this message was going to get badly diluted as it progressed.

What Ullrich has ‘discovered’ is that banks provide the form to their users over a plain-text link – while taking the input from the form using an SSL link.

This means that your password is not exposed to the Internet in clear-text, if you enter it into your bank’s form.

However, it means that you have nothing to prove that you are really connected to your bank’s form, other than a vague feeling that you typed in the right address, so anything that comes back must be from your bank.

With DNS hacks, and viruses that replace or edit your host file, that’s not a guarantee of anything very much, sadly – so these days, you should want your bank to identify themselves via a certificate – and that can only be done through an SSL link.

How do you know if the form on your screen has been delivered by SSL?  That’s what the ‘padlock’ icon shows:

The only problem… you also want your password to be sent back using SSL, and currently, there’s no browser that I am aware of that will tell you that this is the case, or prevent your form details from traveling back unprotected.

[It’s actually a computationally “hard” problem – possibly even computationally “impossible”, so let’s not be too down on the browser vendors.]

1 thought on “Banks and SSL forms”

  1. There is a solution which works for me most of the time. Always fill in your password incorrectly the first time (blank is normally fine, but sometimes javascript forces you to put something). Afterwards, the failed login / try again page is normally secure.

Leave a Reply

Your email address will not be published. Required fields are marked *