[15768] in cryptography@c2.net mail archive
Re: New Attack on Secure Browsing
daemon@ATHENA.MIT.EDU (Aram Perez)
Fri Jul 16 12:35:01 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 15 Jul 2004 21:36:34 -0700
From: Aram Perez <aramperez@mac.com>
To: Ian Grigg <iang@systemics.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <40F6ACEE.3060706@systemics.com>
Hi Ian,
> Congratulations go to PGP Inc - who was it, guys, don't be shy this
> time? - for discovering a new way to futz with secure browsing.
>=20
> Click on http://www.pgp.com/ and you will see an SSL-protected page
> with that cute little padlock next to domain name. And they managed
> that over HTTP, as well! (This may not be seen in IE version 5 which
> doesn't load the padlock unless you add it to favourites, or some
> such.)
Here what I saw when going to the PGP site:
Windows XP Pro:
IE 6.x: No padlock
Firefox 0.9.2: Padlock on address bar and tab
Mac OS 10.2.8:
IE 5.2: No padlock
Safari 1.0.2: Padlock on address bar but no on tab
Fixfox 0.8: Padlock on address bar and tab
Camino 0.7: Padlock on address bar and tab
You stated that http://www.pgp.com is an SSL-protected page, but did you
mean https://www.pgp.com? On my Powerbook, with all the browsers I get an
error that the certificate is wrong and they end up at http://www.pgp.com.
I'm not sure if PGP deliberately set out to confuse na=EFve users since their
logo has been the padlock for a while. Many web sites have their logo
displayed on the address bar (and tab) when you go to there site, see
http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the
question.
Respectfully,
Aram Perez
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
