Ian Grigg wrote:
((((( Financial Cryptography Update: New Attack on Secure Browsing )))))...
http://www.financialcryptography.com/mt/archives/000179.html...
Yes, the FavIcon can become a real favorite with conmen and phishers... But I think the real use would not be to present SSL icon where it is not really used; as I found, many `serious` web sites such as Yahoo!, Chase, Microsoft's Passport, Ebay,... (see fig 5 of http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm) already ask for passwords in a non-SSL-protected page.What does this mean? It's a bit of a laugh, is all, maybe. But it could fool some users, and as Mozilla Foundation recently stated, the goal is to protect those that don't know how to protect themselves. Us techies may laugh, but we'll be laughing on the other side when some phisher tricks users with the little favicon.
So what the spoofers can really use the FavIcon for is simply to present the logo of the victim web site being cloned. This can really help (the spoofer).
The solution: allow a FavIcon only if it is properly approved by the user or someone trusted by the user (a peer, a-la-PGP, or a trustworthy Logo Certifying Authority). I.e., the FavIcon should be a part of the Trusted Logo and Credentials Area (see paper for details). While I must admit we didn't do this yet in our prototype, adding this functionality should not be too difficult (and we'll probably do it soon).
It all puts more pressure on the oh-so-long overdue project to bring the "secure" back into "secure browsing."...
Agreed! Best, Amir Herzberg ...
Putting the CA logo on the chrome now seems inspired - clearly the padlock is useless. See countless rants [1] listing the 4 steps needed and also a new draft paper from Amir Herzberg and Ahmad Gbara [2] exploring the use of logos on the chrome.
[1] SSL considered harmful http://iang.org/ssl/
[2] Protecting (even) Na�ve Web Users, or: Preventing Spoofing and Establishing Credentials of Web Sites http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm
_______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
