Re: encryption (added phishing)

["Philip Wagenaar" <p.wagenaar () accon nl>]

The problem here is that the webpage is still sent in clear text over the wire, unless you use SSL. And the webpage 
isn't signed, so it could be created/modified by anyone.

Let me take an example of phishing. We all got an email once from a bank or auction website asking us to update our 
info and give away our credit card information. This works because the end user just doesn't know any better. How could 
we use encryption and signing here?

I believe gnupg/pgp-like software should be part of any decent web browser these days. If I open my browser and do my 
banking online I want to know:

A) The communication between me and the bank's website is secure
B) The website that loads as my online banking website, really is my online banking website

These two can accomplished by using certificates/SSL. The make sure I am on the right website and that communication is 
encrypted.

But what if a hacker uses a website with working certificate for phishing? I would still the SSL icon in Internet 
Explorer and assume it's all good. What if a hacker changes the <FORM> tag on the website on my bank's site and send my 
credentials to his own website?

gnupgp/pgp could be used here. I want a key from my bank, to do online banking. If the website is not my bank's the key 
won't work and I will be alerted by my computer (instead of that same SSL icon for each website). I a hacker changed 
the contence of a webpage on my bank's site, my computer would alert me. Because they signing on the webpage would not 
be good anymore.

Am I being paranoid? Or would this be a solution, that's not to hard to implement and would make the web and even more 
secure place?

Met vriendelijke groet,

(Philip) Wagenaar
Assistent ICT Projecten & Advies

AccoN Accountants & Adviseurs
ICT Projecten & Advies
Postbus 5090
6802 EB Arnhem
The Netherlands

tel. +31 (0)26-3842384
fax. +31 (0)26-3630222
mobile: +31 (0)6-25388935
MSN/E-mail: p.wagenaar () accon nl
http://www.accon.nl


> > > Kevin Carlson <kevin () kcarlson net> 27-01-05 06:37 >>>
There are alternatives which may be more powerful or easier for you to 
implement.

For example, you can control directory access using a .htaccess file 
with Apache servers.  Give the password to only those who should have 
access.

You can also store text content in an online database such as MySQL, and 
programmatically control access via password.  Pages may then be 
dynamically generated and accessible via a rule-based system.  (This is 
perhaps your most flexible option, although it does require some 
programming in a language such as PHP.)

Kevin


Philip Wagenaar wrote:

> I was also looking at gnupg.
>
> There are alot of tools for it. Also signing HTML files. I was wondering if signing HTML files is useful. And if it 
> is, anyone have any experience with it?
>
> Also, is it possible to encrypt HTML files and make them avalible for a specified number of users. I would have a 
> webpage on my webserver. I would encrypt it gnupg/pgp.. and I would encrypt it for a number of users?
>
> Met vriendelijke groet,
>
> (Philip) Wagenaar
> Assistent ICT Projecten & Advies
>
> AccoN Accountants & Adviseurs
> ICT Projecten & Advies
> Postbus 5090
> 6802 EB Arnhem
> The Netherlands
>
> tel. +31 (0)26-3842384
> fax. +31 (0)26-3630222
> mobile: +31 (0)6-25388935
> MSN/E-mail: p.wagenaar () accon nl 
> http://www.accon.nl
>
>
>  
>
> > > > "Robert Hines" <b.hines () comcast net> 25-01-05 00:22 >>>
> > > >        
> Alas, that would be because you have to pay for it now.  In the olden day,
> All the PGP features were free, but now the basic signing is free, the value
> added protection is not. 
>
> Bob
>
>
>
> "Pleasure in the job puts perfection in the work." - Aristotle 384-322 BC
>
>
> -----Original Message-----
> From: Philip Wagenaar [mailto:pb.wagenaar () chello nl] 
> Sent: Saturday, January 22, 2005 5:35 PM
> To: security-basics () securityfocus com 
> Subject: encryption
>
> Hi,
>
> Up to a few years ago PGP and encryption was an hot item. But it seems it
> has stand still for a few years now. Google and PGP show up only pgp
> programs that are more then years old.
>
> How is encryption these days? What has come by since PGP?
>
> Philip Wagenaar
> http://www.wagenaar.123.nl 
>
>
> ----------------------------------------
> I am using the free version of SPAMfighter for private users.
> It has removed 3447 spam emails to date.
> Paying users do not have this message in their emails.
> Try www.SPAMfighter.com for free now!
>
>
> ##################################################################
>
> Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde.
> De informatie hierin is vertrouwelijk, zodat het derden niet is
> toegestaan om daarvan kennis te nemen of dit te verstrekken aan
> andere derden. Indien u dit e-mail bericht ontvangt terwijl het
> niet voor u bestemd is, verzoeken wij u contact op te nemen met
> de afzender en de informatie te verwijderen van iedere computer.
> Bij voorbaat dank. 
>
> ==================================================================
>
> The information transmitted in this e-mail is intended only for
> the person or entity to which it is addressed and contains
> confidential information. Any review, retransmission or other
> use by persons or entities other than the intended recipient is
> prohibited. If you received this in error, please contact the
> sender and delete the material from any computer. Thank you. 
>
> ##################################################################
>
> #####################################################################################
> This e-mail message has been scanned for Viruses and Content and cleared 
> by MailMarshal
> #####################################################################################
>
>  


##################################################################

Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde.
De informatie hierin is vertrouwelijk, zodat het derden niet is
toegestaan om daarvan kennis te nemen of dit te verstrekken aan
andere derden. Indien u dit e-mail bericht ontvangt terwijl het
niet voor u bestemd is, verzoeken wij u contact op te nemen met
de afzender en de informatie te verwijderen van iedere computer.
Bij voorbaat dank. 

==================================================================

The information transmitted in this e-mail is intended only for
the person or entity to which it is addressed and contains
confidential information. Any review, retransmission or other
use by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the
sender and delete the material from any computer. Thank you. 

##################################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by MailMarshal
#####################################################################################