Is This Site Secure for Me to Enter in my Password?

[HopJokey]

http://www.heritagebankofcommerce.com/

I emailed them and this was their response:

Thank you for taking the time to contact us regarding our new website! I can assure you that your online banking login information is secured and encrypted. Once you press the "Go" button to log in, both your username and password are secured via SSL 128-bit encryption prior to being sent to our Online Banking provider. Heritage Bank of Commerce takes the security of your confidential information very seriously, and a significant review of our new website has been conducted to assure that it is safe. If you have any further concern, please don't hesitate to contact me directly.

My assumption is that any data sent from that page will be unencrypted and therefore insecure. Am I correct?

 

[nickbits]

No you are not.
if you look at the form post back url it is https://onlinencr.com/SignOn/SignOn.asp so it will be encrypted.

 

[HopJokey]

Originally posted by: nickbits
No you are not.
if you look at the form post back url it is <a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp">https://onlinencr.com/SignOn/SignOn.asp</a> so it will be encrypted.

Cool thanks.

Will the data I transmit (the client) not be encrypted though?

 

[Zugzwang152]

Originally posted by: HopJokey

Originally posted by: nickbits
No you are not.
if you look at the form post back url it is <a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp">https://onlinencr.com/SignOn/SignOn.asp</a></a> so it will be encrypted.

Cool thanks.

Will the data I transmit (the client) not be encrypted though?

The data you submit will be encrypted. The SSL handshake occurs before any data is sent, so if you type data into an unencrypted page, but the form sends it to an encrypted page, the data is safe.

The risk of entering data into an unencrypted page is that the page was intercepted before it was delivered to you and thus someone could have modified the destination (changed onlinecr.com to something else to try and steal your credentials). If you receive the login form via an encrypted page, your browser verifies that the real website gave you the form.

 

[Zugzwang152]

Originally posted by: Zugzwang152

Originally posted by: HopJokey

Originally posted by: nickbits
No you are not.
if you look at the form post back url it is <a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp">https://onlinencr.com/SignOn/SignOn.asp</a></a></a> so it will be encrypted.

Cool thanks.

Will the data I transmit (the client) not be encrypted though?

The data you submit will be encrypted. The SSL handshake occurs before any data is sent, so if you type data into an unencrypted page, but the form sends it to an encrypted page, the data is safe.

The risk of entering data into an unencrypted page is that the page was intercepted before it was delivered to you and thus someone could have modified the destination (changed onlinecr.com to something else to try and steal your credentials). If you receive the login form via an encrypted page, your browser verifies that the real website gave you the form.

Also keep in mind the reverse holds true: If you type your username and password into a page that is encrypted, but the form destination (onlinecr.com) is not encrypted, your credentials will be sent in clear text and could be stolen more easily.

 

[HopJokey]

Originally posted by: Zugzwang152

Originally posted by: HopJokey

Originally posted by: nickbits
No you are not.
if you look at the form post back url it is <a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp">https://onlinencr.com/SignOn/SignOn.asp</a></a></a> so it will be encrypted.

Cool thanks.

Will the data I transmit (the client) not be encrypted though?

The data you submit will be encrypted. The SSL handshake occurs before any data is sent, so if you type data into an unencrypted page, but the form sends it to an encrypted page, the data is safe.

The risk of entering data into an unencrypted page is that the page was intercepted before it was delivered to you and thus someone could have modified the destination (changed onlinecr.com to something else to try and steal your credentials). If you receive the login form via an encrypted page, your browser verifies that the real website gave you the form.

This is what I am worried about the data being intercepted before it was delivered. I try to avoid entering in credentials on a public network like a hotspot, but just in case I needed to do so I would feel a lot better if the page was on an SSL.

 

[MrChad]

Originally posted by: HopJokey

Originally posted by: Zugzwang152

Originally posted by: HopJokey

Originally posted by: nickbits
No you are not.
if you look at the form post back url it is <a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp"><a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp">https://onlinencr.com............sp</a></a></a></a></a> so it will be encrypted.

Cool thanks.

Will the data I transmit (the client) not be encrypted though?

The data you submit will be encrypted. The SSL handshake occurs before any data is sent, so if you type data into an unencrypted page, but the form sends it to an encrypted page, the data is safe.

The risk of entering data into an unencrypted page is that the page was intercepted before it was delivered to you and thus someone could have modified the destination (changed onlinecr.com to something else to try and steal your credentials). If you receive the login form via an encrypted page, your browser verifies that the real website gave you the form.

This is what I am worried about the data being intercepted before it was delivered. I try to avoid entering in credentials on a public network like a hotspot, but just in case I needed to do so I would feel a lot better if the page was on an SSL.

I think that you're misunderstanding. The only risk is that someone intercepts the login page before it reaches your browser, then changes the HTML so that the login form submits to a different location.

[ Server ] ---> HTML ---> Malicious user ---> Changed HTML ---> [ Browser ]

Your browser would display the same login page, but if you viewed the source, the login form would submit to some random page. This type of attack is avoided in one of two ways:

1. Encrypting the home page where the login form is displayed.
2. Viewing the source of the home page to ensure that the login form is submitting to the correct URL (in this case, <a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp)">[url]https://onlinencr.com/SignOn/SignOn.asp)[/url]</a>

It's an unlikely scenario, but it's an argument used by security experts for why home pages should be encrypted.

That said, if the login form is pointing to the correct URL (<a target=_blank class=ftalternatingbarlinklarge href="https://onlinencr.com/SignOn/SignOn.asp)">[url]https://onlinencr.com/SignOn/SignOn.asp)[/url]</a>, your login data will be encrypted. A network sniffer cannot intercept the cleartext of your login, because it will only be transmitted in encrypted form.

 

[spidey07]

Easy trick - just enter in bogus username/password and you'll usually be taken to a fully encrypted page.

 

[HopJokey]

Thanks everyone for clearing up my misconceptions of the transmission process.

I think the bank's IT department was getting some of the same concerns from many customers so they are now going to secure the home page:

Based on your feedback, and feedback we have received from other clients, we have made some changes effective immediately, and some that will be implemented within a few weeks.

Starting now, all Online Banking logins have been moved to a secured page. In addition, Heritage has secured a VeriSign security certificate for our home page, which will be implemented within a few weeks.

We truly appreciate your feedback, and although we felt secure with the site, we want to make sure that you feel secure!

 

[RebateMonger]

It's always been disturbing that, on one side, we have security folks telling eveyone to look for the "padlock". And then there are sites like banks that have login pages with no little padlock. It seems like there is less of that nowadays, though.

 

[spidey07]

Originally posted by: RebateMonger
It's always been disturbing that, on one side, we have security folks telling eveyone to look for the "padlock". And then there are sites like banks that have login pages with no little padlock. It seems like there is less of that nowadays, though.

SSL resources/accelerators are finite and cost a lot of money. The line of thinking is "if it doesn't need to be encrypted, then don't".

 

[Red Squirrel]

I've always gone with the saying "encrypt everything you can" When you only encrypt what you really need, you are making it a finer target. If you just encrypt everything then it's way more data. For example if you have a very top secret file, rather then just encrypt that one file, encrypt the whole folder, or even the whole hard drive.

Form submissions are a good think to be aware of though. You can be on a https site but if the POST does not go through https, it's not secure. I was actually concerned about my domain registrar as the login page was not encrypted, but then I looked at the source and it goes to https, so that's fine.

For a low budget, self signed certs are better then no encryption at all. The warnings will get some users worried though, but for a LAN/WAN environment it's not so bad. For example I have a self signed cert for secure.iceteks.net and I just put aliases to any site I need to be secure such as the phpmyadmin page. It's scary how many hosts don't put that or cpanel on a secure site.

 

[spidey07]

That approach is only good on the small scale. Once you get into the 1000s or 10s of thousand SSL transactions per second you learn that SSL resources/acceleration isn't free and costs money. Accept it, encryption costs money and resources and to waste it on things like your home page isn't just a bad idea, it's bad business and wasteful.

I've been in these meetings before and they aren't pretty - "encrypt everything!"
Fine - that will cost you 500,000 dollars.

"What? You mean it isn't free?"

No, nothing is free.

 

[Zugzwang152]

Originally posted by: spidey07
That approach is only good on the small scale. Once you get into the 1000s or 10s of thousand SSL transactions per second you learn that SSL resources/acceleration isn't free and costs money. Accept it, encryption costs money and resources and to waste it on things like your home page isn't just a bad idea, it's bad business and wasteful.

I've been in these meetings before and they aren't pretty - "encrypt everything!"
Fine - that will cost you 500,000 dollars.

"What? You mean it isn't free?"

No, nothing is free.

This is true. I linked someone in the security forum to a research paper that concluded 70% of the resources used to process an SSL request were spent on encryption alone.

 

[spidey07]

Most any commercial site will use load balancers and these load balancers terminate the SSL connections and do it all in hardware. Then it's http to the web server front end from the content switches (load balancers). But still, there is only a finite amount of hardware and a finite limit to how many transactions per second it can do. So you treat SSL resources just like any other computing resource - use it when you must, and only when you must.

 

[Zugzwang152]

Originally posted by: spidey07
Most any commercial site will use load balancers and these load balancers terminate the SSL connections and do it all in hardware. Then it's http to the web server front end from the content switches (load balancers). But still, there is only a finite amount of hardware and a finite limit to how many transactions per second it can do. So you treat SSL resources just like any other computing resource - use it when you must, and only when you must.

additional hardware = additional resources

 

[Red Squirrel]

Originally posted by: spidey07
That approach is only good on the small scale. Once you get into the 1000s or 10s of thousand SSL transactions per second you learn that SSL resources/acceleration isn't free and costs money. Accept it, encryption costs money and resources and to waste it on things like your home page isn't just a bad idea, it's bad business and wasteful.

I've been in these meetings before and they aren't pretty - "encrypt everything!"
Fine - that will cost you 500,000 dollars.

"What? You mean it isn't free?"

No, nothing is free.

True I would not encrypt the entire home page lol. But for example if you have the choice between using regular pop3 or encrypted pop3 then I would use encrypted pop3 hands down. Same with ftp or anything that has a password to get in.