Hi guys, I'm afraid I've been disconnected from this group for a while. Ian reminded me this is an important forum, so here are some updates.
1. I keep a `Hall of shame` of unprotected login pages, at http://AmirHerzberg.com/shame.html; I've recently updated it substantially (it now includes e.g. PayPal, Chase, Microsoft's Passport, CitiGroup's SmithBarney, Bank of America, Amex,...). Most of these sites do use SSL to encrypt the password, but not to protect the login form itself against spoofing/phishing, which is imho the most common threat. I'll love to hear your opinions and of course to add additional sites you find (I'll add `contributors` section - have few already to add there). In particular: I informed all these companies ahead of posting, but most ignored or failed to act (the few that did fix are of course not listed). Do you think I should not be publishing this info? 2. I've seen here comment by Ian and others on the TrustBar, NetCraft bar, etc. Please understand that TrustBar is a research project and not trying to compete with a commercial bar... however, this does not necessarily mean a commercial bar is better. We considered doing database lookups, and in fact got free access from Comodo to allow us to do so, but decided not to do it from TrustBar exactly for privacy (and also performance) considerations. IMHO, we can achieve all the security goals without such an intrusive and wasteful DB access (of course this access may be the whole point for NetCraft, maybe...). We received a lot of positive responses on TrustBar, from users and also from browser developers, and we believe it already made some positive impact. We work now on new versions. The first, 0.32, will be released towards end of June, and the main change there is improved UI - making TrustBar less intrusive and making it easier to rename sites. Best, Amir Herzberg _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
