Monday, September 15, 2008

Yay Chase- security is good!

At some point in the not-too-distant past, I noticed that Chase switched their main home page to use HTTPS. In general, it's a marketing site, so who cares? However, the thing that's great about this is that Chase provides a web banking login right on their marketing site's homepage. Even though the old HTTP page posted back to an HTTPS endpoint on submit, it was a major security hole- subject to phishing, DNS poisoning, man-in-the-middle, and who-knows-what-else attacks. They're also using secure cookies, but not httpOnly. Decent, anyway...

As a side note, we've resisted marketing and user requests for this functionality since day one. Marketing has not (to date) been willing to switch their site to HTTPS-only, and we're unwilling to make the security compromise. I think a number of users were taken aback by our response to "but my bank does it, it must be secure!"

Bravo, Chase- hopefully your competition will follow in your footsteps, leading to a slightly more secure financial web for us all.

No comments: