Originally Posted by
docbert
However if you instead typed "http://www.bankofamerica.com", and didn't notice that you were actually redirected to
https://www.bankofamercia.com, then you've got a problem... Because the original site you went to wasn't over http
S then someone intercepting the traffic can easily redirect you to another site. Even though your access to that site might be over https/SSL, the certificate verification will still succeed (and the lock will show) because at the end of the day you ARE talking to the "real" bankofamer
cia.com! (You did notice the difference, right?)
But, how would I be fooled by the login page presented by Bankofamer
cia.com?
After I enter my UserID at BofA.com, it then shows me a graphic I'd previously selected, as well as a phrase below it that I'd hand entered. If that doesn't appear, then I know something is wrong.