Banks Shifting Logins to Non-SSL Pages

After years of training customers to trust only SSL-enabled sites, banks are shifting their online banking logins to the unencrypted home pages of their websites. Although the data is encrypted once the user hits the "Sign In" button, the practice runs counter to years of customer conditioning, as well as the goals of the browser makers. Three of the five largest U.S. banks now display login forms on non-SSL home pages, including Bank of America, Wachovia and Chase, as well as financial services giant American Express.

Web sites are generally reluctant to use "https" on busy home pages, since SSL involves a tradeoff: improved security, but slower response time. Consumers, meanwhile, prefer easy to-remember URLs for their online banking. In placing login screens on non-SSL home pages, banks are trying to have it both ways: fast page loading without the SSL-related performance hit. The login form's "action" URL points to an SSL-enabled https URL.

Since the introduction of SSL, Internet users have been urged to check for the "golden lock" icon to ensure a web session is encrypted before conducting e-commerce transactions. As phishing has grown rampant, the Anti-Phishing Working Group and Federal Trade Commission have warned consumers to be sure a web page is using SSL before sharing personal information.

Mindful of this, many of the banks using homepage logins include a link to security information. "You may notice when you are on our home page that some familiar indicators do not appear in your browser to confirm the entire page is secure," Bank of America notes in its security note, accessed by clicking an icon on the login form. "Those indicators include the small 'lock' icon in the bottom right corner of the browser frame and the 's' in the Web address bar (for example, 'https'). To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Please be assured that your ID and passcode are secure and that only Bank of America has access to them."

This growing practice was criticized by Microsoft in April. "If the login form was delivered via HTTP, there's no guarantee it hasn't been changed between the server and the client," Microsoft's Eric Lawrence wrote on the IE7 blog. "A bad guy sitting on the wire between the two could simply retarget the POST to submit to a HTTPS site that he controls."

Netcraft's SSL Survey provides detailed information about encrypted transactions and e-commerce, including the growth rate for SSL-enabled sites, and which operating systems, server software and certificates are most widely used on these sites.