WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Must we authenticate login forms (using SSL?)?

From: Amir Herzberg <amir.herzberg () gmail com>
Date: Sun, 02 Oct 2005 09:07:05 +0200
Mike, thanks.
Thank you for the response and clarification. 
...
>As to whether I am a security expert, it depends on whether in your opinion a 
security expert is made through certification.

...
No, I just wanted to know if you consider yourself one, and I think your reply counts as yes.
I gather from your response that we agree that HTTP and HTTPS pages are equally susceptible to both 
>phishing and MITM attacks.
No. We certainly agree on HTTP pages. Re HTTPS (SSL) pages, both my intuition and my experiments seem to show that MITM and phishing attacks still have a significant chance to succeed with users of current browsers, but a much lesser chance to succeed with browsers with improved security indicators (e.g. FireFox with the TrustBar extension). There is still a non-negligible risk of non-detection (which we hope to reduce further, e.g. by improving TrustBar). But is definitely not `equally susceptible`, imho. Ignoring such significant improvement due to the fact that risk is not completely eliminated is, imho, a mistake. 


An attacker can always use a bank’s name url, as for
example, citibank.ny02110.biz will work. All the attacker needs to do is acquire a certificate for their site and they 
will be able to host an SSL site.
I definitely agree that this remains a viable attack, but, TrustBar does reduce this threat significantly; and even without TrustBar, this attack is substantially less likely to succeed compared to non-SSL site.
Since we agree on this point of fact, I find the entire HOS listing pointless and misleading. 
Well so we don't agree here... that happens.
I do believe that TrustBar offers many advantages for a user who chooses to download it. 
Thanks!
Whether it can read the certificate or not is probably not one of its major strengths as 
> citibank.ny02110.biz is maybe just not enough information for a user.
But, TrustBar presents more than this!! In your first contact with the bank, you'll get their _name_; in particular for Citibank, you get `Citigroup` - which an attacker is not likely to be able to get signed by any CA (I hope!)... And then the customer will hopefully usually assign a logo or a personal name - and this is something that the spoofed site has no way of getting at all.
Customer can also assign name/logo to non-https sites, but this will fail against a MITM attacker... 

Thanks a lot for your feedback and best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame
Previous By Date Next
Previous By Thread Next

Current thread: