[Gllug] Sainsbury's Bank with Linux: online banking followup
Nix
nix at esperi.org.uk
Mon Oct 15 21:24:17 UTC 2007
[MJR, I notice that Sainsbury's Bank's Online Saver isn't on your
wonderfully comprehensive list of Linux-compatible accounts. Feel
free to add it.]
I tried Sainsbury's Bank's Online Saver account in the end, on the basis
that if it didn't work it wouldn't cost me anything (this being a
savings account that starts off empty). (Plus it's got a pretty good
interest rate.)
You've got to be damned careful in the account activation process,
because your custom security question and answer have maximum lengths,
but the input boxes don't have length maxima, and if you exceed them,
you just get told that the question is `not acceptable' with no
indication of why.
Also, passwords using forbidden characters (e.g. spaces) are not always
diagnosed: the account activates fine, but then you can't log in to it.
(A helpdesk bod, from the sound of it South Indian with an implausibly
English name, reset this for me in moments at 8pm on a Monday night.
Less than fifteen seconds waiting on hold. Please can BT outsource its
phone centres? This is better service than I've ever had from them.)
But this is all non-browser-specific stuff. On the browser-specific
side, I can verify that every graphical browser I've tried works (other
than links in graphical mode, which is hardly surprising as it doesn't
support cookies by design): Firefox 2, Konqueror 3.5.7, IE6 under Wine,
Mozilla Seamonkey... I didn't bother trying IE5.x or Netscape on the
basis that anyone using them on today's Internet is a moron (plus I
didn't have either of them to hand).
On the encryption front, they use 128-bit SSL (RC4 with an SHA-1 MAC via
TLSv1, you too can see the crypto parameters in more detail by going to
<https://online.sainsburysbank.co.uk/>). There's no proper two-factor
auth or anything like that: they ask you for your username (effectively
public), password, and a not-very-random one of the security questions
you filled in. The latter doesn't seem to change (i.e. they always seem
to ask the same question, or they rotate less often than once every 48
hours), and of course it's no more secure than your password and
personally has a hell of a lot less entropy than the sorts of passwords
I choose :)
(Confusingly, Konqueror claims that pages after the login page are not
encrypted, even though it's still using HTTPS. Wireshark shows that all
the protocol traffic is still TLSv1, so I think this must be a Konqueror
bug. Time to hit bugs.kde.org...)
(Of course as this is all encrypted traffic it doesn't matter if you
use an HTTP proxy as browsers are all going to tunnel through it via
CONNECT anyway, but for the record Polipo 1.0.3 works fine.)
--
`Some people don't think performance issues are "real bugs", and I think
such people shouldn't be allowed to program.' --- Linus Torvalds
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list