Aram,
It's now pretty clear that PGP had no clue what this was all about. Apologies to all, that was my mistake. Also, to clarify, there was no SSL involved.
What we are looking at is a case of being able to put a padlock on the browser in a place that *could* be confused by a user. This is an unintended consequence of the favicon design by Microsoft.
Now, another thing becomes clearer, from your report and others: Microsoft implemented the display of the favicon only as accepted / chosen by the user. You have to add this site as a favourite.
Other browsers - the competitors - went further and displayed the favicon on arrival at the site. I guess they felt that it could be more useful than Microsoft had intended. But, in this case, it seems that they may have stumbled on something that goes too far.
What will save them in this case is that the numbers of users of such non-Microsoft browsers are relatively small. If the tables were turned, and it was Microsoft that was vulnerable, I'd confidentally predict that we would see some attempted exploits of this in the next month's phishing traffic.
iang
Aram Perez wrote:
Hi Ian,
Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing.
Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.)
Here what I saw when going to the PGP site:
Windows XP Pro: IE 6.x: No padlock Firefox 0.9.2: Padlock on address bar and tab
Mac OS 10.2.8: IE 5.2: No padlock Safari 1.0.2: Padlock on address bar but no on tab Fixfox 0.8: Padlock on address bar and tab Camino 0.7: Padlock on address bar and tab
You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com.
I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
