5

I noted that on a lot of money-related websites (banks, paypal, etc), you are brought to a page that "logs you in securely". This is an example of one:

enter image description here

Meanwhile, websites that also store very sensitive information, such as google wallet, facebook, etc (all of which use SSL), don't use this page. What is the advantage of this, and why is it only used on some websites?

Jon
  • 386
  • 1
  • 3
  • 13

3 Answers3

4

Security Theatre

This splash screen is not necessary for the user, but the company chose to introduce a the splash screen showing that they think security is important and saying that they are supposedly away 'doing' security.

The only good thing here is that they think security is important to them and their clients.

The increased security (ssl/https) should already be in place at this stage anyway.

If their login process is slow, that is a different matter, but this interstitial spash screen may improve the user experience.

Alternative explanation:

They could be interrogating a backend password database on their mainframe systems. Banks have old crufty systems with interesting limitations.

Andrew Russell
  • 3,653
  • 1
  • 20
  • 29
  • Spot on. Often times it's a "feel good smokescreen" which is masking the amount of time it takes to query the backend database for user authentication. – k1DBLITZ Apr 16 '14 at 15:57
2

As others have noted, a big part of the role of the splash screen is to make sure that the user sees the word "securely" and gets the impression that "something is done about security". The best security systems are invisible (when you don't see anything, and business proceeds unimpeded, then the security systems are optimal), but the general public does not know that; the public expects security to happen spectacularly. Deep in their mind, users would not be surprised if using a "secure Web site" made all the room lights turn red, like in a submarine.

For that matter, the psychological effect may be directed at the bank manager, too: he paid for a "secure Web site" so he wants to see some security happening. That species of no-nonsense businessmen with limited grasp of technology is still prevalent in the upper layers of management.


There are a few "rational" reasons that may explain a delay. They are not probable; most sites with a delay still do that only for the security theatre. But they might apply in a few cases:

  • The delay may be due to the background launching of some applet (Java, Silverlight, ActiveX...) which has a slow initialization process, and tries to do some "extra security" in some way (such a system will be needed if client-side signatures are used).

  • Verifying a user password may entail some non-negligible computing effort if proper password hashing is used. This can imply some delay, especially if "server relief" is used: the bulk of the hashing may be done client-side, so that the server may handle hundreds of clients effortlessly. In that case, the hashing proceeds at client speed (Javascript...), so this can take a few seconds.

  • The server may want to prevent massive dictionary attacks by imposing a delay of a few seconds between any two requests from the same IP and/or for the same account. This delay can be made intrinsic if a proof-of-work system is used (but, there again, Javascript won't help).

  • The delay may be needed for the server to open tunnels to a bunch of old legacy systems where the banking data actually is. Banking software must strictly adhere to a huge number of rules, encompassing both the actual code behaviour (in particular rounding issues) and development methodology (line-by-line independent audit and so on); the consequence is that such software is not created often, and old systems tend to linger a lot. Last I heard, many banks are still using OS/2. Convincing all these systems to power up and find some user's data can take a few seconds... If the system is going to be slow, what better excuse than to claim that it is "for security" ?

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
0

I could well be wrong, but I suspect that this is just camouflage for some other process that is slow. Setting up an SSL connection - as you note - is usually very fast. For example, TurboTax does exactly what you describe, but I really think that they are just putting up something feasible for the general public when they are performing the authentication and retrieving the account details.

It isn't actually untrue - they really are setting up the connection, but I think it's a bit misleading: the 2048 bit SSL key on www.paypal.com gives no more cryptographic protection than the 2048 bit SSL key used on www.facebook.com.

Dave Mulligan
  • 511
  • 4
  • 7