Perry E. Metzger wrote:

When I go to the SSL protected page, I can look at the URL and the
lock icon in the corner before typing in my password.

Bless you for being so careful. I, instead, look at the logo of the site and of the CA as displayed in TrustBar. This is much easier, and protects me from subtle changes in the URL e.g. homographic attacks, from spoofed address bars, and from certificates granted without proper validation, e.g. `domain validated` certificates. I would expect each security expert to use TrustBar (or other appropriate browser or browser extension - but check they don't send each URL to their server).

When you type in
your password BEFORE the SSL connection, by the time you realize that
it went to the wrong place, it is way too late.
If you realize it at all. Phisher can easily make you unaware of this.

I admit that not everyone will check the URL and the lock icon, but at
least it is *possible* to train people to do the right thing on
that. There is no way, effectively, to train people to be safe given
the way that Amex is set up.
And no way you can protect your users by a proxy or a local TrustBar installation, which, as argued above, can protect reasonably well even naive or unsuspecting users.
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University

New: see my Hall Of Shame of Unprotected Login pages:

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to