WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 17 Jan 2005 08:58:24 +0100
Lyal Collins wrote:
To eapnd on this, there is nothing the stop the phisher capturing the entire session (i.e MITM tunneling), even using a valid OTP token to logon, and even a second OTP token to 'authenticate' a transaciton. With tunneling the entire session, the attacker can easily present the user with screens saying "transfer $200 to mum" while telling the banking site to 'transfer $1000 to joe () hacking site.somewhere" Lyal
Exactly. And this is another reason to use SSL client certificates. Because they are invulnerable (for large numbers of invulnerable ;-) to MITM attacks.
Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Proposal to anti-phishing Rafael San Miguel (Jan 14)
- RE: Proposal to anti-phishing Don Tuer (Jan 14)
- Re: Proposal to anti-phishing Rishi Pande (Jan 15)
- RE: Proposal to anti-phishing RSnake (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- RE: Proposal to anti-phishing Frank Knobbe (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- RE: Proposal to anti-phishing Sam Koh (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Don Tuer (Jan 14)
- RE: Proposal to anti-phishing WebAppSecurity [Technicalinfo.net] (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)