On Wed, 8 Jun 2005, David Wagner wrote:
[...]
That said, I don't see how adding an extra login page to click on helps.
If the front page is unencrypted, then a spoofed version of that page
can send you to the wrong place. Sure, if users were to check SSL
certificates extremely carefully, they might be able to detect the funny
business -- but we know that users don't do this in practice.
Dan Bernstein has been warning of this risk for many years.
http://cr.yp.to/djbdns/bugtraq/[EMAIL PROTECTED]
http://cr.yp.to/dnscache/bugtraq/[EMAIL PROTECTED]
As far as I can tell, if the front page is unencrypted, and if the
attacker can mount DNS cache poisoning, "pharming", or other web spoofing
attacks -- then you're hosed. Did I get something wrong?
Well, yes. TLS guarantees that you're talking to the website listed in the
location bar. Knowing what domain you *wanted* is up to you, and Dan handles
that by suggesting that perhaps you have a paper brochure from the bank which
lists their domain.
So, it's fine to have http://amex.com link to https://amex.com (or
whatever.com) for forms requesting anything sensitive as long as amex.com (or
whatever.com) is what's printed in the brochure. As Dan points out,
examination of the certificate is generally pointless as long as it's signed
by a trusted CA, since the attacker can get a perfectly valid cert for
hackers-r-us.com anyway. The big question is just whether the domain asking
for your account info corresponds with the organization you trust with it.
Of course, brochures aren't exactly hard to spoof (cf. Verisign's fraudulent
domain renewal postcards). And then there are the dozens of CAs your browser
accepts, the CA staff who issue microsoft.com certs to random passersby,
international domain names that look identical to, er, national ones. All
those gotchas apply even in the "correct" implementation outlined by Dan.
-J
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
