On Wed, Feb 25, 2009 at 4:16 PM, Rich Shepard <[email protected]> wrote: > On Wed, 25 Feb 2009, Dan Young wrote: > >> Some (many?) people don't pay attention to which part of the browser >> chrome that little padlock is supposed to show up in: >> http://isc.sans.org/diary.html?storyid=5908 > > I've had several experiences (e.g., trying to register online for > conferences) where the site says it's a secure link, but I don't see the > color of the URL and status line change from white to yellow, and I don't > see the locked padlock in both places. > > When I call the organization/business they try to tell me it really is > secure, but I tell them that if I cannot see the visual signs of an ssl > connection I don't trust it.
Some sites use SSL encrypted *forms* just for submission. So you end up with a non-SSL page that you type your info into, and when you hit the submit button the info is sent to a SSL URL. Theoretically this would be secure, but there are security problems with this which was recently discussed at BlackHat (see http://www.doxpara.com/?p=1269 and https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf). Mainly you can downgrade the connection, and also you can inject javascript into the non-SSL page and sniff the data from the form. Cheers, Jason _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
