WebApp Sec mailing list archives
Re: Growing Bad Practice with Login Forms
From: Ivan Krstic <krstic () fas harvard edu>
Date: Wed, 28 Jul 2004 13:25:27 +0100
This thread has been a less information-dense rehash of a similar thread on Perry's crypto ('Using crypto against Phishing, Spoofing, and Spamming...' started by Amir Herzberg, CC'd, on July 4th 2004 11:30am). I'd advise all to give that thread a read, as some very good points are brought up. I also quote here parts of one of Amir's later messages, in which he links to his paper that presents a possible solution to the "fakeable padlock" problem: Amir Herzberg writes: [...]
In fact, many `serious` web sites ask users to enter passwords etc. in pages which are NOT PROTECTED, usually relying on a script in the page to invoke SSL just before submitting the information; this implies that a spoofing/phishing site can present the same content and collect the unencrypted passwords... I found such vulnerabilities in many of the most prestigious web sites, including Microsoft's Passport, Chase, E-Bay, Amazon, Yahoo! and TD Waterhouse (see screen shots at fig 5 of [1] So my conclusion is: the problem is not with SSL/TLS, the problem is in their current use by browsers (and we present a possible fix in the paper).
The paper ([1]) is here: http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm Cheers, Ivan.
Current thread:
- RE: Growing Bad Practice with Login Forms, (continued)
- RE: Growing Bad Practice with Login Forms Mark Curphey (Jul 27)
- Re: Growing Bad Practice with Login Forms Rogan Dawes (Jul 27)
- Re: Growing Bad Practice with Login Forms Andrew Steingruebl (Jul 27)
- RE: Growing Bad Practice with Login Forms Thomas Schreiber (Jul 27)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- Re: Growing Bad Practice with Login Forms Toro, Daniel (Jul 27)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 27)
- Re: Growing Bad Practice with Login Forms Stephen de Vries (Jul 28)
- Re: Growing Bad Practice with Login Forms Jason Coombs PivX Solutions (Jul 29)
- Re: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 29)
- Re: Growing Bad Practice with Login Forms Ivan Krstic (Jul 28)
- RE: Growing Bad Practice with Login Forms Yvan Boily (Jul 27)
- RE: Growing Bad Practice with Login Forms Konstantin Ryabitsev (Jul 27)
- Re: Growing Bad Practice with Login Forms Darragh O'Brien (Jul 27)
- Summary: Growing Bad Practice with Login Forms athena (Jul 27)
- Re: Summary: Growing Bad Practice with Login Forms Ivan Andres Hernandez Puga (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Telfer (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms Rogan Dawes (Jul 28)