Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Banks use non-ssl login forms. - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Banks use non-ssl login forms.
This is a bit an old issue I am having, but it seems to be getting worse and not better: Bank that use non-SSL login pages.

Now this is not about sending your credentials in the clear. The bank essentially uses a non-ssl "home page" which includes a login form, but the result of the login form is sent encrypted to an SSL page (e.g. you got to, and the login form will submit your data to https:/ Now why is this so bad, given that your login data is still encrypted? Well, there are two reasons for SSL: The first is to encrypt your data (which happens in this case). The second, as important function of SSL is authentication. A valid SSL connection confirms that you are actually talking to your bank, and that the login form is "real".

With the help of some handlers, we checked out a number of major banks. You can see the result at . (I will gladdly add more to the list if time allows. If you want to submit any, please let me know the URL of the login page so I can verify).

Another problem, in particular with smaller banks, is the use of "brochure" pages on non-ssl (in many cases even shared servers) that link to an online banking site at a very different domain. Still working on collecting some data about this.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Apr 19th 2006

Sign Up for Free or Log In to start participating in the conversation!