Exactly. Chase is the only one who that doesn't do that, which is kind of odd for such a corporation. Same as the USBank that was mentioned. I don't know get why they have you login from a main front page (i.e. chase.com or usbank.com) when those front pages should be for general users and they should have a separate SSL page for users who are coming to login.Originally posted by: Lifted
Originally posted by: duragezic
Exactly. I just heard of this exploit now. Last night I was running some numbers on my finances so I was hitting my bank and both credit card sites. I just checked and the certificate for my credit union and Discover looks legit, but the login page for Chase isn't SSL secure (the page itself), so I can't tell. Doxpara said I should be safe, hopefully that is true.Originally posted by: spidey07
Modelworks - read my post up above. A LOT of banking/credit card/shopping sites the main page is not SSL and there is an area to enter your username/pass. Of course the username/pass is sent with SSL on the real site and the next page is SSL as well.
So all I gotta do is slap up a page identical to the banks, your browser will show http://www.usbank.com but your connected to my web server, not the banks. Then you enter your username/pass, now I has it.
There is no way to tell if the site is legit or not this way
I'm on TWC RoadRunner in New York.
In this instance it would be best to navigate to an SSL page that before logging in. If that is not possible, complain to your bank and/or open an account at a new bank that understands security.
Banks that have login via non SSL pages clearly don't understand that SSL certs are also used to verify ones identity, which means that of all the people working on the banks website, not a single one has a clear understanding of this. Not a good sign in my opinion.