[18552] in cryptography@c2.net mail archive
Re: Defending users of unprotected login pages with TrustBar 0.4.9.93
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Thu Sep 22 23:00:32 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 22 Sep 2005 19:18:12 -0600
From: Anne & Lynn Wheeler <lynn@garlic.com>
To: "Axley, Jason" <jason.axley@wamu.net>
Cc: David Wagner <daw@cs.berkeley.edu>, herzbea@macs.biu.ac.il,
cryptography@metzdowd.com
In-Reply-To: <81BDAEBB3ED1DB4B9A1D799880C93DA4024CEB6B@exmsea017.us.wamu.net>
Axley, Jason wrote:
> I think that this trades one security problem for others in the
> application security realm. Sites that allow for equivalent functional
> duality in either HTTPS or HTTP protocols often suffer from problems
> where the HTTPS site inadvertently references an HTTP URL instead of
> HTTPS when doing something sensitive. Most people won't notice the
> insecurity because the site "still works". I prefer when applications
> break in insecure ways that they break loudly.
and the latest phishing
http://www.techweb.com/wire/security/171100298;jsessionid=EE0OXQCFILSOEQSNDBCCKHSCJUMEKJVN
New Phish Deceives With Phony Certificates
A new, advanced form a phishing dubbed "secured phishing" because it
relies on self-signed digital certificates, can easily fool all but the
most cautious consumers, a security firm warned Thursday.
... snip ...
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
