RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...

["Yvan G.J. Boily" <yboily () seccuris com>]

The point Mr. Wall was trying to make is that using SSL to "protect" a login
page prior to the actual (HTTP Verb) which submits the credentials to the
web server does nothing to prevent a user from falling victim to a spoofed
web page.

Your trustbar tool is essentially just another way of putting information in
front of the users face, however it does nothing that isn't already
available.  Since the "trustbar" is not part of the default distribution of
a browser it will not do much to further awareness, or protect a user.  This
is more so the case because a user who has the understanding to install the
software will generally not be caught by a phishing scam or fooled by a
spoofed server.

The idea of adding adding SSL to the actual page as a means to protect the
user promotes a "security oriented process" which in essence, provides 0
(zero) additional security.

As a slight aside, it seems to me that you have misunderstood the intention
of the "padlock" icon beside the Chase login.  When I went to www.chase.com
and saw the padlock, my first inclination was to click it.  Did I do this
because it makes sense to me?  No, my first inclination is to inspect both
the "action" field of the form, and the SSL certificate.  I did this because
I asked my girlfriend to tell me if it was secure or not, and she said if
you click on the padlock, it will usually tell you.  You know, she is not
exactly a computer n00b, but neither is she extremely aware of computers and
security either.  I would rate her just a touch above the average user,
skewed in the time we have been dating because of exposure to my paranoia*
(*her word, not mine).

The reason this is important is because you claim the "lock" icon is
misleading.  I say that the lock icon is more intuitive than a "trust bar"
or the SSL warnings.  People using e-commerce sites have been indoctrinated
to "look for the padlock" and "click on it for more information".

It is my opinion that you are likely doing more damage than good by
spreading fear, uncertainty, and doubt about a widely used, and commonly
accepted practice to which your proposed solution does essentially nothing
about.

I apologize if this seems unduly harsh, but I think that you may have lost
sight of the intended audience during 
your academic pursuits.


Regards,

Yvan

Ps.  
The final statement in your message --

Here you are wrong; the problem is at the mail paypal site so many users
- even not naive - may reach this site.

Bears clarification.. If you mean the email message is the issue, you are in
fact, correct.  Email clients and web browsers should provide a built in
means to assess and modify information being sent in a HTTP request or in a
link (including reverse DNS of the IP address) to provide a higher level of
awareness.  Again, this will only be valuable if the users of said feature
are reasonably aware as well.

-----Original Message-----
From: Amir Herzberg [mailto:herzbea () cs biu ac il] 
Sent: Monday, October 25, 2004 2:13 AM
To: webappsec () securityfocus com; David Wall @ Yozons, Inc.
Subject: Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!,
Chase, ...

"David Wall @ Yozons, Inc." responded to me:
> > and most visible and sensitive web sites still ask users to enter 
> > passwords into unprotected web forms - making it trivial for attackers 
> > to emulate these pages and steal passwords. These include PayPal, 
> > chase,
> >  Microsoft's passport, Yahoo!, eBay, TD Waterhouse,...  (I've checked 
> > most of them about a month ago and this was still the case; I've 
> > checked
> >  PayPal today...)
>
> Your tool may be nice, but Paypal does redirect to an SSL site if you 
> type in paypal.com or www.paypal.com and if you click the "log in" link.

PayPal redirects to SSL site once you hit the `log in` link, but it also
asks users for userid and password directly at its (unprotected) homepage,
http://www.paypal.com. The same holds for Chase, Yahoo! etc (see screen
shots and links from the paper,
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm).
Some of them (e.g. Chase) are especially misleading as they display a
padlock next to the `login` button, which users may interpret as `this is
protected`.  But of course these pages are not protected at all so they are
trivial to spoof (and collect the passwords).

> Of course, this helps, but since most web users are not savvy and 
> don't use your tool, such a "fix" rarely helps.

Exactly my point. Conclusions:
1. Web users should be encouraged to use TrustBar (or browsers, or add-ins,
providing equivalent functionality).
2. Browser developers should incorporate TrustBar (or equivalent
mechanisms). This should be easy, esp. since our project is open-source
(http://trustbar.mozdev.org) and as far as I know patent-free.
3. Web site designers should be more sensitive to this threat... It is
amazing that such major sites have such obvious and trivial to fix
vulnerabilities, and noticed I've informed them all; the only positive
response I got was some discount vouchers from TD Waterhouse - but really I
would have preferred, if they also acted on my trivial recommendation...

> After all, someone who is naive
> enough to follow such paypal links probably doesn't know anything 
> about keeping themselves safe online, which is why they are targeted.
Here you are wrong; the problem is at the mail paypal site so many users
- even not naive - may reach this site.

Best, Amir Herzberg
http://AmirHerzberg.com
Associate Professor, Computer science department, Bar Ilan University