A bank that encourages spoofing
A site with secure connection should educate and encourage its users to follow several security practices. Providing SSL login and feeling that they have the most secure site that technology can provide is colossal stupidity. One of these user practices is to verify that one is browsing an SSL enabled site and that the connection is secure. Another is to check whether the secure connection is with the intended site.
HDFC bank’s online banking facility does not tell their users to follow these practices anywhere on their site, placing them amoung the hordes of other high-security-claiming insecure sites. This is not a big deal as most other secure sites are that way. But what is different about this bank is that they try make sure you never follow these practices even if you know these practices. When we go to the main page of their site and click on netbanking, they open a popup without an address bar. Now how does one know that this is the site they have intended to use? It does not now matter if the site is secure because a person who has spoofed the page can also have his own SSL cerficate and hence establish a secure connection (don’t tell me it will difficult to obtain one). Firefox will help us a bit here, but what about the other users? One can goto the View menu and enable the address bar alright, but is that an excuse for what they have done?
Ofcourse, I reported this to them serveral months back and got a typical coporate-bulls**t reply while they silently continue to do this.
