Non SSL Bank Login Forms

Hello all, my question is how can a form have a field that
is secure without using SSL.  From my web programming
experience I cannot understand a Bank's claim that their
login form is secure when there is no SSL used. 
"Signing on to secure sites from an unsecure page is a
common industry practice"  The POST data has to get to
the server if SSL is not used how can they claim it is
secure?  I hope I have clarified my question enough

Thanks

John

------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------

I work at a bank, and I find this frustrating as well.

It is not secure from a phishing perspective - it's how the
phishers  
can make their "password reset" forms look
realistic as you have an  
implied trust of the (possibly) real page underneath.

Having a SSL based page one level deep is a good security
idea and  
I'm terribly frustrated with banks that don't do that.
Luckily, the  
place I work does this... but for a bad reason. The use a
pop up to  
hide the address bar for no good reason. Luckily, IE 7
prevents this  
absolutely, so I'm absolutely chuffed. Thank you Microsoft!
You  
helped me win an argument. 

thanks,
Andrew

On 19/05/2006, at 12:57 AM, wilson.amajohngmail.com
wrote:

> Hello all, my question is how can a form have a field
that is  
> secure without using SSL.  From my web programming
experience I  
> cannot understand a Bank's claim that their login form
is secure  
> when there is no SSL used.  "Signing on to secure
sites from an  
> unsecure page is a common industry practice"  The
POST data has to  
> get to the server if SSL is not used how can they claim
it is  
> secure?  I hope I have clarified my question enough
>
> Thanks
>
> John
>
>
------------------------------------------------------------
---------- 
> ---
> Sponsored by: Watchfire
>
> Watchfire named worldwide market share leader in web
application  
> security
> assessment by leading market research firm.
Watchfire's AppScan is the
> industry's first and leading web application security
testing  
> suite, and
> the only solution to provide comprehensive remediation
tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx? 
> id=701300000007t9c
>
------------------------------------------------------------
---------- 
> ----
>
>

Hello,

If I was you, I'd close all my accounts and use another
bank.

Regards,

-- 
Jason Muskat  | GCUX - de VE3TSJ
____________________________
TechDude
e. JasonTechDude.Ca
m. 416 .414 .9934

http://TechDude.Ca/


> From: <wilson.amajohngmail.com>
> Date: 18 May 2006 14:57:49 -0000
> To: <webappsecsecurityfocus.com>
> Subject: Non SSL Bank Login Forms
> 
> Hello all, my question is how can a form have a field
that is secure without
> using SSL.  From my web programming experience I cannot
understand a Bank's
> claim that their login form is secure when there is no
SSL used.  "Signing on
> to secure sites from an unsecure page is a common
industry practice"  The POST
> data has to get to the server if SSL is not used how
can they claim it is
> secure?  I hope I have clarified my question enough
> 
> Thanks
> 
> John
> 
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
> 
> Watchfire named worldwide market share leader in web
application security
> assessment by leading market research firm.
Watchfire's AppScan is the
> industry's first and leading web application security
testing suite, and
> the only solution to provide comprehensive remediation
tasks at every
> level of the application. See for yourself.
> Download a Free Trial of AppScan 6.0 today!
> 
> https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
>
------------------------------------------------------------
--------------
> 



------------------------------------------------------------
-------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web
application security 
assessment by leading market research firm. Watchfire's
AppScan is the 
industry's first and leading web application security
testing suite, and 
the only solution to provide comprehensive remediation tasks
at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/apps
cansix.aspx?id=701300000007t9c
------------------------------------------------------------
--------------