IE Devs Criticize Bank Security Vulnerabilities

mrcaseyj writes "A post on the IE blog criticizes some banks for no longer using secure connections for entire login pages and only encrypting the password as it goes back to the bank. This prevents simple password sniffing but doesn't prevent a man in the middle attack from replacing the unsecured login page with one that has disabled encryption. This is especially a problem if you are using an unencrypted wireless connection such as at a coffee shop, because hackers can easily use the airpwn package to intercept the login page and steal your password. An easy remedy for when a secure page isn't available is to enter a bad username and password which usually brings up a secure page telling you to try again. But can you really trust your money to a bank that doesn't even offer the option of a secure login page?"

Isn't this a little old?

[Hoover,L+Ron]

Links goes to some 2 year old blog entry.

Re:Isn't this a little old?

[Don_dumb]

This whole article is basically just the same two posts the same submitter (mrcaseyj) made in this article http://it.slashdot.org/article.pl?sid=07/05/07/224 7244 earlier today. Now his posts may be interesting but anyone who was actually interested in this would have seen these posts today already.

hypocrisy

Hotmail does the same thing.

Re:Fixed it for ya!

[ThinkFr33ly]

An, indeed, they likely are the most hacked web servers in the world. IIS 6, on the other hand, appears to be extremely secure. Whether this is a factor of market share or code quality, we don't know.

Apache: http://secunia.com/search/?search=Apache

IIS 6: http://secunia.com/product/1438/

The fact of the matter is that you do not have enough information to conclude that IE is more poorly coded that any other browser out there. You are coming to this conclusion based on assumptions, not based on facts.

Re:Fixed it for ya!

[nekokoneko]

Mod parent down! Nice try, but your search listed the vulnerabilities for all Apache related products (httpd 1.x, httpd 2.x, Tomcat, etc), totaling 383 advisories, while listing the vulnerabilites for only a specific version of IIS (IIS 6.0), totaling 3 advisories.
Comparing IIS 6.0 to, say, Apache 2.2, we see 3 advisories for each product. Also, the comparison fails for only comparing the number of advisories and not the severity level of each one of them. Granted, Apache 2.2 has one unpatched advisory compared to zero for IIS 6.0, but it is not nearly as clear cut and one sided as your post made it seem.

Re:Fixed it for ya!

[ThinkFr33ly]

Well, I gave a link to the search results for Apache, as opposed to a specific Apache version, to allow people to compare the versions they choose. How convenient that in your comparison you chose to concentrate only on Apache 2.2, which has, by far, the fewest vulnerabilities of the Apache family.

To compare them somewhat accurately, one should compare IIS 6 with the version of Apache that has been out a similar amount of time, and, ideally, has a similar market share.

I guess this would mean you would compare IIS 6.0 to Apache 2.0. In that case, IIS 6.0 has 3, and Apache 2.0 has 33. Furthermore, none of the IIS 6.0 issues were "critical", while at least 2 of the Apache ones were.

Even this isn't really a fair comparison, since I would be that a *huge* percentage of Apache sites run Apache 1.3.x, not 2.x or 2.2.x. Apache 2.2 has been out for only about 1.5 years. (Versus 4.5 years for IIS 6.)

For the IIS users base, almost everybody is running IIS 6. (And for obvious reasons... IIS 5 and earlier sucked hardcore.)

The point is that the idea that IIS 6 is insecure is clearly false.