Since the introduction of SSL, Internet users have been urged to check for the “golden lock” icon to ensure a web session is encrypted before conducting e-commerce transactions. As phishing has grown rampant, the Anti-Phishing Working Group and Federal Trade Commission have warned consumers to be sure a web page is using SSL before sharing personal information.
Mindful of this, many of the banks using homepage logins include a link to security information. “You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure,” Bank of America notes in its security note, accessed by clicking an icon on the login form. “Those indicators include the small ‘lock’ icon in the bottom right corner of the browser frame and the ‘s’ in the Web address bar (for example, ‘https’). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Please be assured that your ID and passcode are secure and that only Bank of America has access to them.”
This growing practice was criticized by Microsoft in April. “If the login form was delivered via HTTP, there’s no guarantee it hasn’t been changed between the server and the client,” Microsoft’s Eric Lawrence wrote on the IE7 blog. “A bad guy sitting on the wire between the two could simply retarget the POST to submit to a HTTPS site that he controls.”
Netcraft’s SSL Survey provides detailed information about encrypted transactions and e-commerce, including the growth rate for SSL-enabled sites, and which operating systems, server software and certificates are most widely used on these sites.