do it. think it. blog it! ... a twisted world

Microsoft has been condemning, the practice of using NON SSL browsing methods, especially for online banking. However, Bank of America, Wachovia and Chase, as well as financial services giant American Express have decided to not concurr with this approach according to this report on NetCraft.

Netcraft's SSL Survey provides detailed information about encrypted transactions and e-commerce, including the growth rate for SSL-enabled sites, and which operating systems, server software and certificates are most widely used on these sites.

I had blogged about Secure Passwords last month, and had mentioned the usage of a Password Hasher using JavaScript. If these banks DO NOT want to have HTTPS enabled on their high traffic login pages, they could at least use the Password Hasher to encrypt the data sent back to the server.

I feel glad that this time I agree 100% with microsoft on their stance on SSL and NON SSL usage. Well, I also do understand the Bank's need for using NON-SSL for high volume traffic sites. But one should draw a line somewhere and not compromise the security of their customers Identity and credentials ! (and that too in this world of Identity Theft).

NOW, that's where they should be looking at Access Manager. If they let Access Manager broker their authentication requests, they could continue using HTTP for high traffic pages and then when the user tries to access his online banking information Access Manager could Authenticate them over HTTPS (ah! did I forget to mention that Access Manager authenticates using TOKENS and not TICKETS), and well, with the complexities of the policies and rulesets that Access Manager can handle, the server serving up "critical" information could all be served securely. Did I also forget to mention that we have a Secure Remote Access Gateway too?

SOMEBODY !!
Talk to these Banks Please...