Re: Growing Bad Practice with Login Forms

[Ivan Krstic <krstic () fas harvard edu>]

This thread has been a less information-dense rehash of a similar thread
on Perry's crypto ('Using crypto against Phishing, Spoofing, and
Spamming...' started by Amir Herzberg, CC'd, on July 4th 2004 11:30am).
I'd advise all to give that thread a read, as some very good points are
brought up.

I also quote here parts of one of Amir's later messages, in which he
links to his paper that presents a possible solution to the "fakeable
padlock" problem:

Amir Herzberg writes:
[...]
> In fact, many `serious` web sites ask users to enter passwords etc.
> in pages which are NOT PROTECTED, usually relying on a script in the
> page to invoke SSL just before submitting the information; this
> implies that a spoofing/phishing site can present the same content
> and collect the unencrypted passwords... I found such vulnerabilities
> in many of the most prestigious web sites, including Microsoft's
> Passport, Chase, E-Bay, Amazon, Yahoo! and TD Waterhouse (see screen
> shots at fig 5 of  [1]
>
> So my conclusion is: the problem is not with SSL/TLS, the problem is
> in their current use by browsers (and we present a possible fix in
> the paper).

The paper ([1]) is here:
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm

Cheers,
Ivan.