Interesting People mailing list archives
more on SSL/false security
From: "Dave Farber" <dave () farber net>
Date: Fri, 10 Aug 2007 06:30:42 +0900
-----Original Message----- From: Strata R Chalup [mailto:strata () virtual net] Sent: Friday, August 10, 2007 6:14 AM To: dave () farber net Subject: more on SSL/false security http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.ht ml is a great writeup on two-phase authentication systems and man in the middle attacks, using a real exploit on Bank of America's SiteKey(tm) system as an example. Note that a proxyed MitM attack can simply exploit the user's own security questions to bypass the 'secure' vendor cookie that supposedly prevents such attacks. Note that the institutions using these systems often don't consider the impact of their own policies on site improvement. I had to spend some of my bank's tech support money to prove to myself that I hadn't been phished when they suddenly, without any notice to customers, "improved" the online UI. Log in, see a different interface that resembles the old one but is clearly different. The truly sad thing is that their tech support mentioned that they hadn't gotten many calls about this-- in a tone that implied "Why are you even asking?" O Brave New World, that has such *cough* whatever in it. best regards, Strata R Chalup CEO, founder Virtual.Net Inc *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* * Artist, Gardener, Engineer, Slacker, Bodhisattva * * Strategic IT Consulting | strata () virtual net * *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* ------------------------------------------- Archives: http://v2.listbox.com/member/archive/247/=now RSS Feed: http://v2.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- more on SSL/false security Dave Farber (Aug 09)