Saturday, February 16, 2008

What's wrong with this picture?

I went to login to my discover card account to review my account activity (something I try to do on a regular basis). Using a bookmark (to make sure I don't accidentally enter a typo that gets me to a hackers site -- plus I'm lazy and a single click is easier than typing in the URL), I get to the web site and I notice something that isn't right (in my opinion). Take a look at the picture below and tell me if you see it before reading past it.

Look at the URL. It's non-SSL (http: vs https:). When I noticed that, I figured that somehow my bookmark was messed up, but looking at the bookmark, it does specify https:. What happens is that Discover is redirecting you from the SSL endpoint to the non-SSL endpoint. This happens with IE and with Mozilla whether directly connected or through a proxy server, so it's clearly something done on the server and not a side effect of the client.

That wouldn't be all that bad if Discover just had a link on the home page directing me to a login page that was SSL protected. That isn't the case. The home page prompts for the user's credentials. Now the technical people out there might say that the data from the login form is probably submitted via an SSL endpoint so the data is protected. However, without looking at the source code, the user can't know that.

In addition, since the URL itself isn't protected, the user (me in this case) doesn't have any way to know that they are actually talking to Discover. This could be a MITM phishing site.

So, if you do go to Discover's site to view your account, I suggest that you select the login link in the upper right corner before you enter your credentials. This will bring you to an SSL protected page where you can verify that the host you are talking to is and not some MITM.

Tags : / /


Grant Alan Friedline said...

I was always under the impression that both the login page and the authentication page have to be https, but I guess that is not true. Facebook does the same thing. It submits from an http page to an https page as well.

Anil Saldhana said...

A spec I am part of is trying to address concerns like this.

This is serious BS from Discover.