[17425] in cryptography@c2.net mail archive
Re: AmEx unprotected login site (was encrypted tapes, was Re:
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Thu Jun 9 09:42:14 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 09 Jun 2005 08:57:49 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
Reply-To: herzbea@macs.biu.ac.il
To: Ken Ballou <ballou@crab.mv.com>
Cc: Jerrold Leichter <jerrold.leichter@smarts.com>,
"Perry E. Metzger" <perry@piermont.com>, Ian G <iang@systemics.com>,
cryptography@metzdowd.com
In-Reply-To: <42A7466B.4030900@crab.mv.com>
Ken, you are correct (see below). And in fact, if the page came from the
right source (as validated by SSL and a secure browser extension such as
TrustBar), I don't think there is any need to validate the source (which
is impractical even for the geekest geek). After all, if a site is so
clueless as to send you corrupted scripts, it may as well publish your
password directly...
Best, Amir Herzberg
Ken Ballou wrote:
> Unless I misunderstand, the problem is that I can not determine where my
> login information will go without examining the source of the login
> page. Sure, the form might be posted to a server using https. But,
> without examining the source of the login page, I won't be able to look
> at the certificate for the site to which my credentials have been sent
> until it's too late.
>
> It's still the case that if I retrieve the original login form via
> https, I have to examine the page source to see to which server the form
> will be posted. But I can examine the certificate of the site from
> which I got the form originally to determine whether this is a phishing
> attack. If the login form itself can be shown to have come from an AmEx
> server, I'm probably more comfortable trusting that my credentials are
> going to the right server.
>
> Do I completely misunderstand?
>
> - Ken
>
> .
>
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
