[18514] in cryptography@c2.net mail archive
Re: Defending users of unprotected login pages with TrustBar 0.4.9.93
daemon@ATHENA.MIT.EDU (Victor Duchovni)
Mon Sep 19 12:45:08 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 19 Sep 2005 12:05:21 -0400
From: Victor Duchovni <Victor.Duchovni@MorganStanley.com>
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
In-Reply-To: <432EB4F6.6020504@cs.biu.ac.il>
On Mon, Sep 19, 2005 at 02:54:14PM +0200, Amir Herzberg wrote:
> We now added a mechanism
> computes a hash of every unprotected site for which the user has
> assigned name/logo. TrustBar compares this hash on subsequent accesses
> to the same site. If the site is not modified in five subsequent
> accesses, TrustBar begins displaying `Same since <date>`; and when the
> site changes, TrustBar displays a warning. This can help users notice a
> fake version of their login page. Unfortunately, this mechanism does not
> work very well on most real-life login pages, since most of them contain
> a tiny bit of frequently-changing data such as date or `random`
> identifiers (mostly to identify a cookie-less client, we think). We are
> working on improving the mechanism so it will be tolerant to such tiny
> changes, without exposing the user to malicious changes.
>
You could consider hashing Just all <SCRIPT>...</SCRIPT> content,
the action URIs of all forms, and the targets of all links, ignoring
superficial content changes and changes in layout (sort the hashed
items).
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
