Must we authenticate login forms (using SSL?)?

[Amir Herzberg <amir.herzberg () gmail com>]

mike03051 () yahoo com said:

> Amir,
>
> Let’s differentiate the issues a bit for clarity. Specifically, let’s 
differentiate your Hall of Shame list from
> TrustBar features and functions.
>
> We should all be able to agree on statements of fact:
> Both http: and https: (SSL) sites are subject to MITM exploits.
SSL sites may be subject to MITM exploits, but only when users do not
check the identity of the subject and issuer in the certificate. Users
can validate these identities easily using TrustBar, and in theory even
without it.

Non-SSL sites (http:) are completely vulnerable to MITM - even the most
expert user cannot detect spoofing... except for reading the source code
which is clearly not practical...

Furthermore, non-SSL sites are subject also to phishing attacks, where
the user is tricked
into requesting a wrong URL, e.g. from email. Again, SSL sites can be
subject to such attack as well, but users are much better protected from
it. Without TrustBar, attacker still has to get a cert for the URL from
one of the CAs `trusted` by the browser (or trick the user into
approving); most attackers simply present a non-SSL site (but some users
may notice that). With TrustBar, there is a fair chance for detection
even by naive users (noting that they don't get the right logo/name for
the site).

> I wonder then what is the justification for placing some sites in 
your Hall of Shame listing.
> It is not unreasonable to view your pages and come to the conclusion
> that HOS entries are there because they allow access to login forms 
using an HTTP url.
Of course.
> If that is the case, then I take exception to the prima facia claims 
on your site that
> These are Hall of Shame. They all submit secure web forms, like any 
other secure web site
> in the world. Your HOS identified sites are no more (or no less) 
susceptible to MITM
> than any other site in the world, either.

Well, I guess if you insist, I'll have to change something in my
discussions. You may be the first security expert to actually insist on
this claim (and that includes experts in companies that have unprotected
login sites!). I think I've stated my arguments about as clearly as I
can... So if you still disagree, just let me know if you consider
yourself a security expert. I'm not saying that your opinion is
irrelevant if you are not a security expert, it is just the I want to
know if I need to modify my statement (that all security experts I've
talked with agreed with non-SSL login sites being worthy of HoS...).
> Now as for TrustBar. I have not downloaded or tested TrustBar, so I 
cannot vouch for
> how well it works, but from the web site it detects HTTPS connections 
and attempts to
> match the certificate with the url. This helps to read a certificate.
> One nice touch is the nice logo display for visual verification.
>
> Now a question: does it work if the certificate is valid but says 
something like
> citibank.asecur-e.com? Do your company logo displays from a db or are 
they downloaded
> from the site?
Of course it `works`, i.e., if you've set Citibank logo to the Citibank
site (SSL protected or not) then you'll see if only in the respective
Citibank site. Of course, this by itself does not protect users from a
MITM attack if the site is unprotected. We are exploring some mechanisms
for this, in particular the idea I've been asking this list about which
is for sites to digitally sign the pages so they are secure from
tampering (even by MITM...).
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame