[142143] in cryptography@c2.net mail archive
Re: On the topic of "Asking the drunk"...
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Sat Jan 10 12:21:08 2009
Cc: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
In-Reply-To: <E1LLFrI-00008J-A6@wintermute01.cs.auckland.ac.nz>
Date: Sat, 10 Jan 2009 06:13:49 -0500
On Jan 9, 2009, at 6:49 AM, Peter Gutmann wrote:
> https://visa.com/
I get no response. None at https://www.visa.com either.
On the other hand, the US-specific site, https://usa.visa.com,
responds just fine - but it redirects you to http://usa.visa.com/index.html
. Try that same address with https, and it's accepted - but again
redirected to the http version.
That one is at least in the Visa domain. It gets a bit more complex
for other regions - e.g., the Asian sites are accessible via https://www.visa-asia.com/
- but that redirects to
http://www.visa-asia.com/ap/index.shtml - even though
https://www.visa-asia.com/ap/index.shtml actual works!
I'm guessing that Visa has country- (or perhaps region-)specific
certs, which would make some sense - but the random mix of http and
https addresses is pretty broken.
It's not clear there's anything at visa.com that's really in need of
protecting, of course. It's not a card issuer, its member banks are.
Then again ... if you start from https://usa.visa.com and go to
"Access Account Information", you are sent to a (non-SSL) page that
claims to have links to the largest issuing banks - except that none
of the "links" actually works - which I guess is appropriate, since
you shouldn't be trusting them anyway!
A very strange set of sites....
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
