Re: New Attack on Secure Browsing
On 15 Jul 2004, at 9:36 PM, Aram Perez wrote: I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question. (Sent from this account, since I am subscribed from here.) This is a favicon -- a logo icon for the site. Lots of sites use them. PGP has had this on our for a couple of years, now. I vaguely remember there being one in The Dark Days, but I could be misremembering. This is the first bit of confusion I've heard about it. PGP's logo icon has been a padlock at least since the O'Reilly book used it in January of '95. This is before there even was an SSL. That particular icon is the very same one that was used as the tray icon in some version of PGP or other (we think PGP 7). We're giving this all due consideration. Would it help if we changed the metal, perhaps from the current four-plane brass to eight-plane steel or even to alpha-channel Jolly Rancher iridescent translucent anodized titanium? Jon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New Attack on Secure Browsing
Hi Ian, Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing. Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.) Here what I saw when going to the PGP site: Windows XP Pro: IE 6.x: No padlock Firefox 0.9.2: Padlock on address bar and tab Mac OS 10.2.8: IE 5.2: No padlock Safari 1.0.2: Padlock on address bar but no on tab Fixfox 0.8: Padlock on address bar and tab Camino 0.7: Padlock on address bar and tab You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New Attack on Secure Browsing
Aram, It's now pretty clear that PGP had no clue what this was all about. Apologies to all, that was my mistake. Also, to clarify, there was no SSL involved. What we are looking at is a case of being able to put a padlock on the browser in a place that *could* be confused by a user. This is an unintended consequence of the favicon design by Microsoft. Now, another thing becomes clearer, from your report and others: Microsoft implemented the display of the favicon only as accepted / chosen by the user. You have to add this site as a favourite. Other browsers - the competitors - went further and displayed the favicon on arrival at the site. I guess they felt that it could be more useful than Microsoft had intended. But, in this case, it seems that they may have stumbled on something that goes too far. What will save them in this case is that the numbers of users of such non-Microsoft browsers are relatively small. If the tables were turned, and it was Microsoft that was vulnerable, I'd confidentally predict that we would see some attempted exploits of this in the next month's phishing traffic. iang Aram Perez wrote: Hi Ian, Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing. Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.) Here what I saw when going to the PGP site: Windows XP Pro: IE 6.x: No padlock Firefox 0.9.2: Padlock on address bar and tab Mac OS 10.2.8: IE 5.2: No padlock Safari 1.0.2: Padlock on address bar but no on tab Fixfox 0.8: Padlock on address bar and tab Camino 0.7: Padlock on address bar and tab You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: New Attack on Secure Browsing
You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. What I get is a bad certificate, and this is due to the fact that the certificate is issued to store.pgp.com and not www.pgp.com. Interestingly (maybe?), when you go and browse on their on-line store, and check something out to buy, the session is secured but with another certificate, one issued to secure.pgpstore.com. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New Attack on Secure Browsing
Anton Stiglic wrote: You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. What I get is a bad certificate, and this is due to the fact that the certificate is issued to store.pgp.com and not www.pgp.com. Interestingly (maybe?), when you go and browse on their on-line store, and check something out to buy, the session is secured but with another certificate, one issued to secure.pgpstore.com. Just to clarify, there is no SSL cert involved - or there shouldn't be?! My original post was pointing out that it is possible to fool users by putting a favicon padlock in place. This seems to work only on non-IE browsers, as these are the ones that went further and display the favicon without further user intervention. If users can be so fooled, then they can be encouraged to enter their details as if they are logging into the site (not PGP but say e*Trade). Hey presto, stolen authentication, and stolen money. I didn't expect so much confusion on this point, but if indeed that wasn't obvious so much the better: that was the issue, that people could be easily confused! iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
New Attack on Secure Browsing
Financial Cryptography Update: New Attack on Secure Browsing ) July 15, 2004 http://www.financialcryptography.com/mt/archives/000179.html Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing. Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.) Whoops! That padlock is in the wrong place, but who's going to notice? It looks pretty bona fide to me, and you know, for half the browsers I use, I often can't find the darn thing anyway. This is so good, I just had to add one to my SSL page (http://iang.org/ssl/ ). I feel so much safer now, and it's cheaper than the ones that those snake oil vendors sell :-) What does this mean? It's a bit of a laugh, is all, maybe. But it could fool some users, and as Mozilla Foundation recently stated, the goal is to protect those that don't know how to protect themselves. Us techies may laugh, but we'll be laughing on the other side when some phisher tricks users with the little favicon. It all puts more pressure on the oh-so-long overdue project to bring the secure back into secure browsing. Microsoft have befuddled the already next-to-invisible security model even further with their favicon invention, and getting it back under control should really be a priority. Putting the CA logo on the chrome now seems inspired - clearly the padlock is useless. See countless rants [1] listing the 4 steps needed and also a new draft paper from Amir Herzberg and Ahmad Gbara [2] exploring the use of logos on the chrome. [1] SSL considered harmful http://iang.org/ssl/ [2] Protecting (even) Naïve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]