Banks and https
Saturday, May 28th, 2005Here's what happens when you go to the web pages of some large US banks, and what happens when you try changing the homepage URL from "http" to "https" or vice versa.
Bank | http | https |
---|---|---|
Bank One | Insecure login form. | Works. |
Wells Fargo | Insecure login form. | Works. |
Wachovia | Insecure login form. | Works. |
Bank of America | Insecure login form. | Redirects to http. |
Washington Mutual | Insecure login form. | Redirects to http. |
US Bank | Insecure login form. | Error: Connection closed. |
Citibank | Link to secure login form at "web.da-us.citibank.com". | Error: 404. |
HSBC | Link to secure login form at "www.ebank.us.hsbc.com". | Certificate hostname mismatch. |
Suntrust | Redirects to https. | Works. |
Most of these banks make Critical SSL/TLS Mistake #1, having the login form be http and only submit to https. This protects against passive attacks, but does not protect against man-in-the-middle attacks. An attacker who can mount a passive attack can usually mount a man-in-the-middle attack with only a little more work, so these banks are barely more secure than sites that do not use https at all.
Of the banks that use https login forms at all, many make two smaller mistakes: their main page is http, which invites http links and bookmarks, and their login forms have long hostnames like "web.da-us.citibank.com", which are harder for users to verify than e.g. "www.citibank.com" or "citibank.com".
Many of the largest targets for financial fraud in the US are only defending themselves against passive attacks. Do they believe authenticated encryption isn't important in the US? Aren't these the same banks that blackmailed Mozilla developers into adding two of its most-hated features, "autocomplete=off" and "Cache-Control: no-store", claiming that any browser without these features was not secure enough for use on their sites? Banks in the US are heavily regulated, so why aren't they mandated to use https correctly?
Users either don't look for the lock icon at all, or can be tricked by the combination of a lock image and a statement in the page like "The moment you click Sign In and before your ID and passcode leave your computer, we encrypt them using Secure Sockets Layer (SSL) technology." Why is that? What can be done? What should be done?