Perry E. Metzger
Tue, 23 Jan 2007 06:38:16 -0800
For years, I've complained about banks, such as Chase, which let people type in the password to their bank account into a page that has been downloaded via http: instead of https:.
The banks always say "oh, that's no problem, because the password is posted via https:", and I say "but that's only if the page comes from *you*, and it might come from a bad guy." "How would someone possibly send the user a faked up web page?" they then ask. I reply like this "the two obvious ways are DNS cache contamination and doing a man-in-the-middle in the network, and the latter is really easy now that people trusting WiFi base stations in strange places that they've never used before. You could just put a tiny box near a cafe or airport lounge and siphon off passwords day and night." The bank people then tell me that I'm crazy. (They're usually more polite than that, but that's the import of what they say.) I have a great letter from a manager at Chase informing me that they've been assured by fabulous security people that their system is safe. Adding insult to injury, the banks put a little padlock GIF on their insecure form, probably to reduce the number of phone calls they get about it. Well, guess what. It turns out that people are now deploying man-in-the-middle WiFi devices in places like airports and siphoning passwords for bank accounts. Who would have thought of such a nefarious thing? Certainly this is a new problem and one no would have thought of it before now...: January 19, 2007 (Computerworld) -- The next time you're at an airport looking for a wireless hot spot, and you see one called "Free Wi-Fi" or a similar name, beware -- you may end up being victimized by the latest hot-spot scam hitting airports across the country. You could end up being the target of a "man in the middle" attack, in which a hacker is able to steal the information you send over the Internet, including usernames and passwords. And you could also have your files and identity stolen,[...] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9008399&source=NLT_NET&nlid=27 (Incidently, the article gets a few things wrong. It somewhat implies that you are safe if you pick a WiFi network you have a previous relationship with, which isn't true.) Just to pick on my favorite exemplar of how not to do things for a moment, go over to: http://www.chase.com/ and ponder how it could be that a giant multinational financial institution could set its customers up this way. If you go over to, say, www.fidelity.com, you will find that you can't even get to the http: version of the page any more -- you are always redirected to the https: version. For the record, Fidelity has gotten this right for as long as I've been watching them. Now you might wonder, why do I keep picking on Chase? A certain other security person and I had an extended argument with the folks at another company I won't name other than to say that it was American Express. At the time, they more or less said, "yah, this is a problem, but fixing it is going to be a pain." However, I'll note that now, as with Fidelity, you pretty much can't go onto their web site without using https: -- kudos to Amex. Indeed, though this was all a major problem a couple of years ago with many banks, many have now fixed it. However, for a select few, like, say, Chase, the message simply isn't getting through even though these organizations have been repeatedly informed that they are leaving their customers vulnerable. One wonders what level of trouble they're going to have to get into before they actually do the right thing. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]