- From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
- Date: Wed, 23 Jul 2008 23:52:46 +0200
- To: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
<URL: http://arstechnica.com/news.ars/post/20080723-study-websites-of-financial-institutions-insecure-by-design.html > Hmmmm? ------------------ For example, nearly 30 percent of the sites the researchers examined performed what they termed a "break in the chain of trust." In this case, specific financial activities required that the user be sent to a site run by a different company, meaning they were no longer interacting with the original domain; in many cases, a different security certificate was required. In 17 percent of these cases, there was no warning that this would occur. Roughly half the sites requested login information on an insecure page. The information was typically sent using JavaScript that invoked a secure SSL connection, but the user had no indication of this, a practice that promotes a casual approach to security. Over a quarter of the sites had poor policies on the username/password combination. Some accepted short, insecure passwords. Others either accepted or defaulted to easily obtained usernames, such as e-mail addresses or Social Security numbers. ------------------- -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Wednesday, 23 July 2008 21:59:56 UTC