Dan Kaminsky’s Black Ops 2006 talk was oversubscribed, so it took a while to start, with people searching for seats and emptying up the hallways. 26% of top 50 banks have some screwed up login process, according to Dan’s research. The banks that display a login-password module in plain on every page are the worst. The banks that ask for username in plain and then redirecting to SSLed page for the password entry are wising up.
Kaminsky’s advice? As soon as user starts typing in the username for login, generate an IFRAME with HTTPS page loading in it. That SSLed page should ask for the password, not the plain text HTTP one.
