Secure? Don't bank on it.
April 2, 2007 5:29 PM Subscribe
Calling webbish folks: I'd like to make sure this form is as unsecured as it appears before I complain. More inside!
So as far as I can tell this form is completely unsecured (which is kind of bad, as it encourages you to use your Social Security number). The page isn't encrypted, the lock icon doesn't appear even briefly when it's submitted (try arbitrary gibberish that won't validate server-side), and the form post action is not to a https:// address. It seems painfully ironic that a privacy choices form would itself be a security problem.
Before I complain to Wachovia, though, I'd like to make sure I'm not overlooking a way this form could be secure that I don't know about.
So as far as I can tell this form is completely unsecured (which is kind of bad, as it encourages you to use your Social Security number). The page isn't encrypted, the lock icon doesn't appear even briefly when it's submitted (try arbitrary gibberish that won't validate server-side), and the form post action is not to a https:// address. It seems painfully ironic that a privacy choices form would itself be a security problem.
Before I complain to Wachovia, though, I'd like to make sure I'm not overlooking a way this form could be secure that I don't know about.
No, the form is not submitted over an SSL link. SSL alone wouldn't make it "secure," but it would certainly help.
If you wish to make use of the form with encryption, however, you can just tack it on to the URL yourself and it appears to work just fine.
posted by majick at 5:38 PM on April 2, 2007
If you wish to make use of the form with encryption, however, you can just tack it on to the URL yourself and it appears to work just fine.
posted by majick at 5:38 PM on April 2, 2007
OTOH, they do have a picture of a lock, with a tooltip of "secure form", so that makes it OK.
posted by smackfu at 6:34 PM on April 2, 2007 [1 favorite]
posted by smackfu at 6:34 PM on April 2, 2007 [1 favorite]
This is bad and well worth complaining about. Their little picture of a lock is a real kicker.
posted by event at 6:53 PM on April 2, 2007
posted by event at 6:53 PM on April 2, 2007
Is it a phishing address? I got a cookie warning from ehg-wachovia.hitbox.com, which I never get when we access my husband's legit Wachovia account.
posted by Sweetie Darling at 6:55 PM on April 2, 2007
posted by Sweetie Darling at 6:55 PM on April 2, 2007
Oops, never mind. I got to the same page from online banking login. Sorry 'bout that.
posted by Sweetie Darling at 6:57 PM on April 2, 2007
posted by Sweetie Darling at 6:57 PM on April 2, 2007
FYI, the https:// version works fine:
https://wachovia.com/personal/forms/privacy_optout -- maybe you just clicked a bad link?
A lot of web servers have http and https pointing to the same directory. This isn't really a security issue unless someone links to the wrong one.
I don't think it's a phishing address.
posted by malphigian at 6:58 PM on April 2, 2007
https://wachovia.com/personal/forms/privacy_optout -- maybe you just clicked a bad link?
A lot of web servers have http and https pointing to the same directory. This isn't really a security issue unless someone links to the wrong one.
I don't think it's a phishing address.
posted by malphigian at 6:58 PM on April 2, 2007
Yeah, it's linked (insecurely) from the Privacy link at the bottom of every page.
posted by smackfu at 6:59 PM on April 2, 2007
posted by smackfu at 6:59 PM on April 2, 2007
Response by poster: Thanks for the alternative links, majick and odinsdream. I had tried the swap to https:// myself, in fact... but I posted the regular http:// version because that's how it's linked from the main Wachovia privacy page (d'oh!).
posted by musicinmybrain at 7:00 PM on April 2, 2007
posted by musicinmybrain at 7:00 PM on April 2, 2007
Look at this!
http://www.chase.com/
and the controversy it caused:
http://blogs.zdnet.com/Ou/?p=226
Even though the log-in is redirected to an SSL secured page, it is actually not secure for an instant. Does Chase care? Read all the comments under the ZDNet article. Bottom line: No. They use the same trick with the graphic of a lock. People have been told, "Look for the lock," so...Chase gave them a lock!
-
posted by Gerard Sorme at 7:36 PM on April 2, 2007
http://www.chase.com/
and the controversy it caused:
http://blogs.zdnet.com/Ou/?p=226
Even though the log-in is redirected to an SSL secured page, it is actually not secure for an instant. Does Chase care? Read all the comments under the ZDNet article. Bottom line: No. They use the same trick with the graphic of a lock. People have been told, "Look for the lock," so...Chase gave them a lock!
-
posted by Gerard Sorme at 7:36 PM on April 2, 2007
Gerard, correct me if I'm wrong, but the "action" attribute for the logon form is a POST to a https:// url. In other words, the data should be encrypted. I'm a Chase customer, and I use that form, so this is not a hypothetical question at all for me.
posted by knave at 8:14 PM on April 2, 2007
posted by knave at 8:14 PM on April 2, 2007
I'm so glad you posted this. I've noticed this on my credit card sites and it drives me crazy!
posted by rbs at 8:17 PM on April 2, 2007
posted by rbs at 8:17 PM on April 2, 2007
If the form action uses POST to send the parameters, the originating script need not be from a secure site. If, on the other hand, the form action uses GET, the form variables will be sent in the URL, which is insecure regardless of whether the transport layer is SSL or not.
While the Wachovia form does submit the form using POST, it's not specifically to a secure site. It looks like they just used a relative path, which is LAZY programming on their part. Had they simply hard-coded a SSL-enabled URL in the post action, they could have avoided all this hassle.
posted by Civil_Disobedient at 10:08 PM on April 2, 2007
While the Wachovia form does submit the form using POST, it's not specifically to a secure site. It looks like they just used a relative path, which is LAZY programming on their part. Had they simply hard-coded a SSL-enabled URL in the post action, they could have avoided all this hassle.
posted by Civil_Disobedient at 10:08 PM on April 2, 2007
The grapevine being what it is, I expect somebody at Wachovia mgmt has seen this thread by now and will make sure to get these (simple) changes made -- both the relative-URL submission Civil Disobedent points out and the fact that all the internal links point to the http rather than htpps page. But just in case, yeah, it might be worth notifying them.
And thanks for caring enough to ask about it here. Pretty amazing to see a major bank asking for SSNs on an "http" page in 2007.
posted by allterrainbrain at 10:54 PM on April 2, 2007
And thanks for caring enough to ask about it here. Pretty amazing to see a major bank asking for SSNs on an "http" page in 2007.
posted by allterrainbrain at 10:54 PM on April 2, 2007
(Yes I meant https.)
(And it might be worth pointing out explicitly that even as we discuss this, the changes may be underway -- but as of this post the privacy links in the global footer are still pointing to the http page.)
posted by allterrainbrain at 11:01 PM on April 2, 2007
(And it might be worth pointing out explicitly that even as we discuss this, the changes may be underway -- but as of this post the privacy links in the global footer are still pointing to the http page.)
posted by allterrainbrain at 11:01 PM on April 2, 2007
I was glad to see that the awesome Commerce Bank seems to have proper security. Just another reason to love my bank.
posted by footnote at 5:54 AM on April 3, 2007
posted by footnote at 5:54 AM on April 3, 2007
« Older Need to get wedding rings in New York | Credit Cards: Help me find a card that will allow... Newer »
This thread is closed to new comments.
posted by aubilenon at 5:35 PM on April 2, 2007