[17439] in cryptography@c2.net mail archive
Re: AmEx unprotected login site
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Thu Jun 9 10:44:27 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 09 Jun 2005 17:33:31 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
Reply-To: herzbea@macs.biu.ac.il
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Ben Laurie <ben@algroup.co.uk>,
"Steven M. Bellovin" <smb@cs.columbia.edu>,
Jerrold Leichter <jerrold.leichter@smarts.com>,
cryptography@metzdowd.com
In-Reply-To: <87d5qvfylq.fsf@snark.piermont.com>
Perry E. Metzger wrote:
> When I go to the SSL protected page, I can look at the URL and the
> lock icon in the corner before typing in my password.
Bless you for being so careful. I, instead, look at the logo of the site
and of the CA as displayed in TrustBar. This is much easier, and
protects me from subtle changes in the URL e.g. homographic attacks,
from spoofed address bars, and from certificates granted without proper
validation, e.g. `domain validated` certificates. I would expect each
security expert to use TrustBar (or other appropriate browser or browser
extension - but check they don't send each URL to their server).
> When you type in
> your password BEFORE the SSL connection, by the time you realize that
> it went to the wrong place, it is way too late.
If you realize it at all. Phisher can easily make you unaware of this.
>
> I admit that not everyone will check the URL and the lock icon, but at
> least it is *possible* to train people to do the right thing on
> that. There is no way, effectively, to train people to be safe given
> the way that Amex is set up.
And no way you can protect your users by a proxy or a local TrustBar
installation, which, as argued above, can protect reasonably well even
naive or unsuspecting users.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
