httpswatch icon indicating copy to clipboard operation
httpswatch copied to clipboard

Published 20 hours ago verified publisher icon benjaminp

Bank results misleading, evaluate the internet banking domains instead?

Open alexzorin opened this issue 10 years ago • 2 comments

In almost all cases, banks have brochureware websites with distinct separated internet banking domains/hosts.

Imo it doesn't make much sense to be testing the brochureware endpoint, which is currently all that is tested. Any potential issues in the actual internet banking section are not going to be uncovered.

i.e. onlinebanking.tdbank.com vs tdbank.com

The list of banks should either be better curated or have a disclaimer that httpswatch does not actually evaluate the internet banking part of the website, just the brochure part.

Thanks for your work

alexzorin avatar Feb 05 '15 11:02 alexzorin

You are correct. However, one of the goals of HTTPSWatch is to advocate for HTTPS everywhere not just "secure" areas. That is why we mostly link to homepages.

benjaminp avatar Feb 11 '15 02:02 benjaminp

To avoid many vulnerabilities it's critical that all pages use HTTPS.

For example, a visitor easily gets p0wned by MITM + phishing if the brochureware website is HTTP-only (or without HSTS). I think this issue can be closed.

sandstrom avatar Dec 29 '15 20:12 sandstrom