Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'THIS IS WRONG! It's secure by default!' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
THIS IS WRONG! It's secure by default!
Authored by: johnqsmith on Jan 28, '07 01:58:13PM

While I am happy that at least some of you want to be more secure, the fact of the matter is that it is already using SSL at the time that you submit the information. I know most of you don't know how to use a packet sniffer, but I do and I've tested it. It is very common for sites (like banks) to use http to show the front page but then submit the information with SSL. This is because it causes more load to send all the content of the front page encrypted.

While I think it is a good idea from a user-education perspective to always make the front page SSL encrypted, so that people know to look for the browser lock (ESPECIALLY for banks...who like to use their own "lock" icons that don't mean anything...I personally yelled at wellsfargo a lot until they made the front page ssl by default), but you can see why sites might not want to do this, especially sites with extremely high traffic. However, you should realize that google would never have gotten away with sending your credentials in the clear; us security people would have made sure it drew them bad PR ;)

One other tip I would mention though is that if you have a bank which is using non-ssl for the front page, it would be a much better idea to add the s (https) and then if it doesn't work complain to your bank (it may just be that they use a different server for the ssl traffic, but you should find out)



[ Reply to This | # ]