WebApp Sec mailing list archives

Re: Proposal to anti-phishing

From: Rogan Dawes <discard () dawes za net>
Date: Mon, 17 Jan 2005 08:58:24 +0100

Lyal Collins wrote:

To eapnd on this, there is nothing the stop the phisher capturing the entire
session (i.e MITM tunneling), even using a valid OTP token to logon, and
even a second OTP token to 'authenticate' a transaciton.
With tunneling the entire session, the attacker can easily present the user
with screens saying "transfer $200 to mum" while telling the banking site to
'transfer $1000 to joe () hacking site.somewhere"


Lyal

Exactly. And this is another reason to use SSL client certificates.Because they are invulnerable (for large numbers of invulnerable ;-) toMITM attacks.


Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

Current thread:

Proposal to anti-phishing Rafael San Miguel (Jan 14)
- RE: Proposal to anti-phishing Don Tuer (Jan 14)
  - Re: Proposal to anti-phishing Rishi Pande (Jan 15)
  - RE: Proposal to anti-phishing RSnake (Jan 15)
    - RE: Proposal to anti-phishing Lyal Collins (Jan 16)
    - RE: Proposal to anti-phishing Frank Knobbe (Jan 19)
    - RE: Proposal to anti-phishing Lyal Collins (Jan 19)
    - RE: Proposal to anti-phishing Sam Koh (Jan 23)
    - Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
  - RE: Proposal to anti-phishing WebAppSecurity [Technicalinfo.net] (Jan 15)
  - Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
  - RE: Proposal to anti-phishing Lyal Collins (Jan 16)
    - Re: Proposal to anti-phishing Moksha Faced (Jan 19)
    - RE: Proposal to anti-phishing Lyal Collins (Jan 19)
    - Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
    - RE: Proposal to anti-phishing Lyal Collins (Jan 19)
  - Re: Proposal to anti-phishing Rob Skedgell (Jan 19)
    - Re: Proposal to anti-phishing Cory Foy (Jan 23)

(Thread continues...)