WebApp Sec mailing list archives
Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93
From: mike03051 () yahoo com
Date: 20 Sep 2005 19:40:03 -0000
Amir, Lets differentiate the issues a bit for clarity. Specifically, lets differentiate your Hall of Shame list from TrustBar features and functions. We should all be able to agree on statements of fact: Both http: and https: (SSL) sites are subject to MITM exploits. I wonder then what is the justification for placing some sites in your Hall of Shame listing. It is not unreasonable to view your pages and come to the conclusion that HOS entries are there because they allow access to logon forms using an HTTP url. If that is the case, then I take exception to the prima facia claims on your site that these are Hall of Shame. They all submit secure web forms, like any other secure web site in the world. Your HOS identified sites are no more (or no less) susceptible to MITM than any other site in the world, either. Now as for TrustBar. I have not downloaded or tested TrustBar, so I cannot vouch for how well it works, but from the web site it detects HTTPS connections and attempts to match the certificate with the url. This helps to read a certificate. One nice touch is the nice logo display for visual verification. Now a question: does it work if the certificate is valid but says something like citibank.asecur-e.com? Do your company logo displays from a db or are they downloaded from the site? Mike
Current thread:
- Defending users of unprotected login pages with TrustBar 0.4.9.93 Amir Herzberg (Sep 19)
- <Possible follow-ups>
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 19)
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 Nathan Jackson-Eeles (Sep 19)
- Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 J. Lambrecht (Sep 19)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 19)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 Peter Conrad (Sep 20)
- Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93 mike03051 (Sep 20)