: Security - DiscoverCard.com I have a security, SSL question about http://discovercard.com/ When you first go to Discover Card's Home Page you are able to type in your user name and password without
I have a security, SSL question about discovercard.com/
When you first go to Discover Card's Home Page you are able to type in your user name and password without the website being protected by SSL. When you hit login the information is passed over SSL but the home page does not use SSL itself.
Why do you think Discover does this? Is this fine to do? Are there any security risks by doing this?
Any other bank or credit card website I have gone to has SSL anywhere you type the username and password.
Thanks for the comments!
More posts by @Deb1703797
2 Comments
Sorted by latest first Latest Oldest Best
Most sites don't do this because, in theory, a Man-in-the-Middle attack could be used to spoof the non-HTTPS login page so that the login information can be intercepted.
Though, in practice a MitM attack is a very rare and sophisticated attack. Unless you're on an unsecured network, there's almost no chance of it happening. And if you were to be victim to a MitM attack, I'm not even sure using an HTTPS login page would help. (There have been reports of rogue CA certificates being created by exploiting the use of the obsolete MD5 algorithm by root CAs; as well as stories of wildcard certificates being generated that can be used on any FQDN.)
That said, if SSL is secure (hopefully those exploits have been fixed), then the customer should be safe from MITM attacks if they're using an up-to-date browser and pay attention to browser warnings (sort of a big "if" considering many big sites don't even bother to use proper SSL certificates). And users do feel safer when they see the little lock icon on their browser, so that may be a good enough reason to use it, as there are few downsides to using HTTPS on the login page. The slowdown should be negligible considering the overhead of SSL encryption is minuscule compared to database or scripting overhead on most applications.
Yes, I can assure you that discovercard.com/ is secured. Why? Well, please check discovercard.com carefully. Just before you hit the "login" button, please check the "Login" button thoroughly. On the status bar, you will see that when you click on this button, it will redirect your request to a secure HTTPS protocol.
As of this, I can ensure that this portal is safe and secure.
Why discovercard.com/ do all this? Well, if you run your site all in HTTPS protocol, your site will load slower than the ordinary site. Please remember that you will only have to protect your site when some credential informations is entered, not to the entire site. If a visitor comes to your site just for browsing, he does not need a secured channel. In fact, he may leave if he knows that your site loads slower due to the existense of the SSL.
Hope this helps :-)
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.