Subject: Re: Secure sign-in
From: Mike Tibor (tibor@lib.uaa.alaska.edu)
Date: Tue Jan 22 2002 - 15:15:07 AKST
On Tue, 22 Jan 2002, Justin L. Dieters wrote:
>
> Hello all. There was some talk about Credit Union 1's website not being
> secure at one of the APULUG meetings a while back, and since I use CU1
> myself, I was a tad concerned. So I e-mailed their webmaster, and this
> is what I got back for a reply. I was hoping someone who knows a bit
> more about this stuff than I would be able to give an analysis of his
> reply. I copied his reply below - does this sound correct (a.k.a.
> safe), or do I need to switch to a different bank?
>
> ----------
> You are correct, that the login pages are not secure. However, the
> login process is all handled by a Java script. When you click the "Log
> On" button, the Java script takes over, and sends a "dummy" member
> number of 0 to the host, to establish a secure connection. Once the
> secure connection has been established and confirmed, only then are your
> account number and password transmitted to the server.
>
> If you look at the source code for the page, you will see a line that says,
> <INPUT TYPE="HIDDEN" NAME="DUMMY" VALUE="0">, and that is what it does.
> ---------
When CU1 first started doing this, I wondered the same thing myself. What
I did was to setup a packet sniffer on my firewall to see exactly what my
browser was sending to their server, and how it was being sent. Back
then it was in fact being sent using SSL, and I would assume that it still
is. As I recall, back then I think I also noticed that the login stuff
was being done in js.
FWIW,
Mike
-- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tibor@lib.uaa.alaska.edu http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key
This archive was generated by hypermail 2a23 : Tue Jan 22 2002 - 15:15:09 AKST