That nice, safe feeling

Bills due! I tried to login to my Wells Fargo online Bill Pay service today. That's really all I wanted to do, pay bills.

The Sign On button tells me "BEFORE YOU CONTINUE: Your browser is not authorized." Okay, so they don't like the fact that I've installed the IE5.5 preview. They're definitely not letting me in, though all their browser tests inform me happily that I'm very well suited, since I have the 128-bit version, all the glitzy security features on.

I hunt around a bit, and come up with a toll-free number: 800-956-4442. Now I can just ask someone about their support of IE5.5, get some lame excuse, and send my bills via U.S. Mail. Love this stuff.

But my ears perk up, accompanied by a stomach-sinking feeling, when the electronic voice asks me to enter my social security number. ("I bet they're going to ask for the online password too.")

It's secure, it's just that everyone can hear you

"Please enter your password." And I'm thinking, good thing I'm using the cell phone, even though that's not really secure, it's at least something. I contemplate hanging up, but punch in the digits, since by now I really want to talk to a person.

"There is no such thing as IE5.5. You might be using a beta. Betas aren't approved for banks." This guy really seems clueless, and he probably doesn't have any influence anyway, so talking to him about SSL and public-key encryption isn't going to help.

Now, on a normal day, I wouldn't have gotten my feathers ruffled. But these guys just made me do something blatantly, ridiculously insecure: type in all my login information over the telephone. Everything's numeric, so it could be reconstructed exactly with little effort. If you have access to my "Bill Pay" feature, you can write a check of any amount to anyone, more or less instantly. It does not make me happy to have to jump through hoops for this kind of treatment.

And as I'm thinking about it, the "security" they're using is really client-side. It would be pretty easy to change my browser version, no? And that hasn't compromised the security of the 128-bit encryption, the SSL challenge. No one's eavesdropping, or otherwise the math doesn't work. Hell, if my browser version really makes any difference to the security of this connection, I don't want to use the stuff anyway.

So I change it. (There's this minor little resource in urlmon.dll...)

And of course, everything works.

Which also ticks me off.

Rant

I downloaded Netscape 0.9 the day it came out -- Mosaic and Cello pre-alpha before that. And, back then there was a new browser every week, and everyone was really excited.

And the Web grew and changed.

Now, Microsoft won't let me have two versions of a browser on my system (or not easily), and reinstalling 20 MB of gunk in system32 and rebooting twice everytime I want to pay my bills is just not the way this stuff should work.

But we have to be paranoid. So the idea is that anyone who tries to do something (admittedly) bland, unexciting, but slightly new and different is evil and suspect.

But unfortunately for my bank, people who upgrade their browsers often are just the kind of people who pay their bills online. This of course means that the very people who might be willing to use this Bill Pay service are the very ones who are prevented from using it. Is the Internet important to their business? Maybe not... And the solutions aren't simple -- downgrade a Microsoft product? You've got to be kidding!

In proportion to their paranoia of betas, I would like Wells Fargo to provide a full disclosure of their methods for determining security, including the code reviews they've had with Microsoft and Netscape personnel. Of course, a separate (and detailed) document is needed for each patch version and bugfix. This will ensure that they're at least two years behind the current browser curve, making their service effectively useless.

For that matter, Wells Fargo should guarantee the security of the client in its entirety, using only client-side security methods. Specifically, they should ensure that there isn't a possibility that any code on the client anywhere could be logging keystrokes or transmitting screenshots. They should ensure that no one's looking over your shoulder. In fact, you should have to go to the bank to do a transaction at all.

These steps would ensure a more secure banking experience for everyone.

No, really

Otherwise, and I think this is important, they're operating on trust, on a standard and certain mathematics that makes communicating with SSL secure. Honestly, if a browser rev can spoof 128-bit SSL, those guys in Redmond are really a whole lot smarter than I ever thought. In other words, the best you can do with current browsers is to make a 128-bit SSL connection, and anything else you do is really pointless, because there really is no other widely-distributed security method for a browser. All the rest can be spoofed, hacked, faked, or eavesdropped.

While they're at it, maybe they could make it possible to talk to a person on the phone without broadcasting my login information to anyone who wants to listen.