Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bank results misleading, evaluate the internet banking domains instead? #76

Open
alexzorin opened this issue Feb 5, 2015 · 2 comments
Open

Bank results misleading, evaluate the internet banking domains instead? #76

alexzorin opened this issue Feb 5, 2015 · 2 comments

Comments

@alexzorin
Copy link

In almost all cases, banks have brochureware websites with distinct separated internet banking domains/hosts.

Imo it doesn't make much sense to be testing the brochureware endpoint, which is currently all that is tested. Any potential issues in the actual internet banking section are not going to be uncovered.

i.e. onlinebanking.tdbank.com vs tdbank.com

The list of banks should either be better curated or have a disclaimer that httpswatch does not actually evaluate the internet banking part of the website, just the brochure part.

Thanks for your work
@benjaminp
Copy link
Owner

You are correct. However, one of the goals of HTTPSWatch is to advocate for HTTPS everywhere not just "secure" areas. That is why we mostly link to homepages.

@sandstrom
Copy link
Contributor

To avoid many vulnerabilities it's critical that all pages use HTTPS.

For example, a visitor easily gets p0wned by MITM + phishing if the brochureware website is HTTP-only (or without HSTS). I think this issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sandstrom @benjaminp @alexzorin