Security Basics mailing list archives
Re: encryption (added phishing)
From: "Philip Wagenaar" <p.wagenaar () accon nl>
Date: Thu, 27 Jan 2005 14:13:30 +0100
The problem here is that the webpage is still sent in clear text over the wire, unless you use SSL. And the webpage isn't signed, so it could be created/modified by anyone. Let me take an example of phishing. We all got an email once from a bank or auction website asking us to update our info and give away our credit card information. This works because the end user just doesn't know any better. How could we use encryption and signing here? I believe gnupg/pgp-like software should be part of any decent web browser these days. If I open my browser and do my banking online I want to know: A) The communication between me and the bank's website is secure B) The website that loads as my online banking website, really is my online banking website These two can accomplished by using certificates/SSL. The make sure I am on the right website and that communication is encrypted. But what if a hacker uses a website with working certificate for phishing? I would still the SSL icon in Internet Explorer and assume it's all good. What if a hacker changes the <FORM> tag on the website on my bank's site and send my credentials to his own website? gnupgp/pgp could be used here. I want a key from my bank, to do online banking. If the website is not my bank's the key won't work and I will be alerted by my computer (instead of that same SSL icon for each website). I a hacker changed the contence of a webpage on my bank's site, my computer would alert me. Because they signing on the webpage would not be good anymore. Am I being paranoid? Or would this be a solution, that's not to hard to implement and would make the web and even more secure place? Met vriendelijke groet, (Philip) Wagenaar Assistent ICT Projecten & Advies AccoN Accountants & Adviseurs ICT Projecten & Advies Postbus 5090 6802 EB Arnhem The Netherlands tel. +31 (0)26-3842384 fax. +31 (0)26-3630222 mobile: +31 (0)6-25388935 MSN/E-mail: p.wagenaar () accon nl http://www.accon.nl
Kevin Carlson <kevin () kcarlson net> 27-01-05 06:37 >>>
There are alternatives which may be more powerful or easier for you to implement. For example, you can control directory access using a .htaccess file with Apache servers. Give the password to only those who should have access. You can also store text content in an online database such as MySQL, and programmatically control access via password. Pages may then be dynamically generated and accessible via a rule-based system. (This is perhaps your most flexible option, although it does require some programming in a language such as PHP.) Kevin Philip Wagenaar wrote:
I was also looking at gnupg. There are alot of tools for it. Also signing HTML files. I was wondering if signing HTML files is useful. And if it is, anyone have any experience with it? Also, is it possible to encrypt HTML files and make them avalible for a specified number of users. I would have a webpage on my webserver. I would encrypt it gnupg/pgp.. and I would encrypt it for a number of users? Met vriendelijke groet, (Philip) Wagenaar Assistent ICT Projecten & Advies AccoN Accountants & Adviseurs ICT Projecten & Advies Postbus 5090 6802 EB Arnhem The Netherlands tel. +31 (0)26-3842384 fax. +31 (0)26-3630222 mobile: +31 (0)6-25388935 MSN/E-mail: p.wagenaar () accon nl http://www.accon.nl"Robert Hines" <b.hines () comcast net> 25-01-05 00:22 >>>Alas, that would be because you have to pay for it now. In the olden day, All the PGP features were free, but now the basic signing is free, the value added protection is not. Bob "Pleasure in the job puts perfection in the work." - Aristotle 384-322 BC -----Original Message----- From: Philip Wagenaar [mailto:pb.wagenaar () chello nl] Sent: Saturday, January 22, 2005 5:35 PM To: security-basics () securityfocus com Subject: encryption Hi, Up to a few years ago PGP and encryption was an hot item. But it seems it has stand still for a few years now. Google and PGP show up only pgp programs that are more then years old. How is encryption these days? What has come by since PGP? Philip Wagenaar http://www.wagenaar.123.nl ---------------------------------------- I am using the free version of SPAMfighter for private users. It has removed 3447 spam emails to date. Paying users do not have this message in their emails. Try www.SPAMfighter.com for free now! ################################################################## Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde. De informatie hierin is vertrouwelijk, zodat het derden niet is toegestaan om daarvan kennis te nemen of dit te verstrekken aan andere derden. Indien u dit e-mail bericht ontvangt terwijl het niet voor u bestemd is, verzoeken wij u contact op te nemen met de afzender en de informatie te verwijderen van iedere computer. Bij voorbaat dank. ================================================================== The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and contains confidential information. Any review, retransmission or other use by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Thank you. ################################################################## ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal #####################################################################################
################################################################## Dit e-mailbericht is uitsluitend bestemd voor de geadresseerde. De informatie hierin is vertrouwelijk, zodat het derden niet is toegestaan om daarvan kennis te nemen of dit te verstrekken aan andere derden. Indien u dit e-mail bericht ontvangt terwijl het niet voor u bestemd is, verzoeken wij u contact op te nemen met de afzender en de informatie te verwijderen van iedere computer. Bij voorbaat dank. ================================================================== The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and contains confidential information. Any review, retransmission or other use by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Thank you. ################################################################## ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal #####################################################################################
Current thread:
- Re: encryption (added phishing) Philip Wagenaar (Jan 27)