WebApp Sec mailing list archives
Spoofing phishing attacks, SSL and TrustBar
From: Amir Herzberg <herzbea () macs biu ac il>
Date: Thu, 19 Aug 2004 10:56:41 +0200
Ivan Krstic kindly copied me on a note he sent to this group recently, on the topic `Growing Bad Practice with Login Forms`. Ivan noted that my recent work with Ahmad Gbara is relevant to it. The ideas are in http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm; Ahmad is developing an implementation for Mozilla which you can see/try at http://TrustBar.MozDev.org - but this is not yet an `announcement` for it since it is still in debugging (although, I use different versions of it for a couple of months now and find it already very useful). If any of you want to implement for other browsers (or to improve on Ahmad's implementation), you are very welcome. TrustBar is a tiny browser (currently Mozilla) extension to display clear warning in insecure sites, and display the name of the site, or preferably a logo or icon selected by the user or certified by an authority trusted by the user (a CA or a friend or the Trademark Office...). The warning is fixed in the top of every Mozilla window, including helper app windows, so it cannot be spoofed by the site. There is a lot more - see the paper and send us comments... Most relevant to the discussion you had here (I looked a bit in your archive) may be some screen shots which show how some of the largest web sites (Microsoft Passport, Yahoo, Ebay, Amazon, Chase, TD Waterhouse) prompt users for passwords etc. in unprotected pages (sometimes claiming they are protected...), see in paper or directly: http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing_files/image005.gif
Current thread:
- Spoofing phishing attacks, SSL and TrustBar Amir Herzberg (Aug 21)