WebApp Sec mailing list archives
Re: Must we authenticate login forms (using SSL?)?
From: Amir Herzberg <amir.herzberg () gmail com>
Date: Sun, 02 Oct 2005 09:07:05 +0200
Mike, thanks.
Thank you for the response and clarification.
...>As to whether I am a security expert, it depends on whether in your opinion a
security expert is made through certification.
...No, I just wanted to know if you consider yourself one, and I think your reply counts as yes.
I gather from your response that we agree that HTTP and HTTPS pages are equally susceptible to both
>phishing and MITM attacks.No. We certainly agree on HTTP pages. Re HTTPS (SSL) pages, both my intuition and my experiments seem to show that MITM and phishing attacks still have a significant chance to succeed with users of current browsers, but a much lesser chance to succeed with browsers with improved security indicators (e.g. FireFox with the TrustBar extension). There is still a non-negligible risk of non-detection (which we hope to reduce further, e.g. by improving TrustBar). But is definitely not `equally susceptible`, imho. Ignoring such significant improvement due to the fact that risk is not completely eliminated is, imho, a mistake.
I definitely agree that this remains a viable attack, but, TrustBar does reduce this threat significantly; and even without TrustBar, this attack is substantially less likely to succeed compared to non-SSL site.An attacker can always use a bank’s name url, as for example, citibank.ny02110.biz will work. All the attacker needs to do is acquire a certificate for their site and they will be able to host an SSL site.
Since we agree on this point of fact, I find the entire HOS listing pointless and misleading.
Well so we don't agree here... that happens.
I do believe that TrustBar offers many advantages for a user who chooses to download it.
Thanks!
Whether it can read the certificate or not is probably not one of its major strengths as
> citibank.ny02110.biz is maybe just not enough information for a user.But, TrustBar presents more than this!! In your first contact with the bank, you'll get their _name_; in particular for Citibank, you get `Citigroup` - which an attacker is not likely to be able to get signed by any CA (I hope!)... And then the customer will hopefully usually assign a logo or a personal name - and this is something that the spoofed site has no way of getting at all.
Customer can also assign name/logo to non-https sites, but this will fail against a MITM attacker...
Thanks a lot for your feedback and best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.comTry TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame
Current thread:
- Re: Must we authenticate login forms (using SSL?)? Amir Herzberg (Oct 02)