WebApp Sec mailing list archives

RE: Smells like a phish, is a fish?

From: "Damhuis Anton" <DamhuisA () aforbes co za>
Date: Fri, 28 Oct 2005 11:53:08 +0200


Hi,

Signing an email authenticates the origin of an email,
(a) but it still does not stop the contents of the email to be read, while in transit (as far as I know).
(b)It also does not stop the contents being read after an elapsed period of time.

(a) If an attacker saw the message the link in the message while being transmitted, copied the link into a browser, 
they would get access to the account.

(b) If the email lay dormant on the email server for some time, and is then opened, it would/could still give access to 
that account.

That is why I say that something must always be kept secret. It will make sure in both cases that someone could not get 
access to an account.

Another Example
===============
Lets assume there is web site that requires the user to enter their email address and password to log in.

If the user forgets their password, it can be sent to them. An attacker at that point has all the information from the 
email while in transit, and while stored somewhere. Most likely the request would still be valid after 3 weeks.
The site should have a timeout on the sent password. It should also require the user to change their password as soon 
as they log in (thus making the information in the email invalid).

Regards
  Anton

-----Original Message-----
From: Tom Stowell [mailto:jts () deforest k12 wi us]
Sent: 27 October 2005 08:27
To: Damhuis Anton; Ofer.Shezaf () breach com; vanderaj () greebo net;
webappsec () securityfocus com
Subject: RE: Smells like a phish, is a fish?


Greetings,

You say "email is sent over an unencrypted link". I say, why?

I would put forth that phishing is going to be a problem until there is a secure, open, widely deployed standard for 
source-authentication of email.

S/MIME, for example. Maybe businesses should start signing messages, and teach their customers to not trust ones that 
don't have the "golden padlock."

Tom

Confidentiality Warning
=======================

The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.

Current thread:

Smells like a phish, is a fish? Andrew van der Stock (Oct 27)
- Re: Smells like a phish, is a fish? Mat Farrington (Oct 27)
- Re: Smells like a phish, is a fish? Cory Foy (Oct 27)
- Re: Smells like a phish, is a fish? Mike Kuriger (Oct 27)
  - Re: Smells like a phish, is a fish? Todd Hendricks (Oct 28)
- <Possible follow-ups>
- RE: Smells like a phish, is a fish? Ofer Shezaf (Oct 27)
- RE: Smells like a phish, is a fish? Damhuis Anton (Oct 27)
  - RE: Smells like a phish, is a fish? M. Burnett (Oct 27)
  - RE: Smells like a phish, is a fish? Christopher Reed (Oct 28)
- RE: Smells like a phish, is a fish? Tom Stowell (Oct 28)
- RE: Smells like a phish, is a fish? Damhuis Anton (Oct 28)
- RE: Smells like a phish, is a fish? Tom Stowell (Oct 28)
  - RE: Smells like a phish, is a fish? Lyal Collins (Oct 28)
    - Re: Smells like a phish, is a fish? Devdas Bhagat (Oct 30)
    - RE: Smells like a phish, is a fish? Lyal Collins (Oct 31)