Re: Question on the state of the security industry
A couple recent news stories 1) Intuit warns of credit card risk http://news.com.com/Intuit+warns+of+credit+card+risk/2100-1029_3-5269821.html 2) Cyberattacks are soaring, countermeasures are sucking up tons of cash, and hardware and software vendors for the most part are sitting it out, *Bob Evans* says. But big customers are starting to say enough is enough, so the business-technology world is about to get whirled. http://www.informationweek.com/story/showArticle.jhtml;jsessionid=WK0LPHXYB4YSUQSNDBGCKHY?articleID=22104612 ... i've been saying for some time that after market security is broken by design ... it is somewhat like after market seat belts of the 60s. for security to work, it has to be designed built in from the start some relatively recent comments about after market security: http://www.garlic.com/~lynn/2002h.html#39 Oh, here's an interesting paper http://www.garlic.com/~lynn/2002p.html#27 Secure you PC or get kicked off the net? http://www.garlic.com/~lynn/2003n.html#14 Poor people's OS? -- Anne Lynn Wheelerhttp://www.garlic.com/~lynn/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New Attack on Secure Browsing
Hi Ian, Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing. Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.) Here what I saw when going to the PGP site: Windows XP Pro: IE 6.x: No padlock Firefox 0.9.2: Padlock on address bar and tab Mac OS 10.2.8: IE 5.2: No padlock Safari 1.0.2: Padlock on address bar but no on tab Fixfox 0.8: Padlock on address bar and tab Camino 0.7: Padlock on address bar and tab You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question. Respectfully, Aram Perez - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New Attack on Secure Browsing
Aram, It's now pretty clear that PGP had no clue what this was all about. Apologies to all, that was my mistake. Also, to clarify, there was no SSL involved. What we are looking at is a case of being able to put a padlock on the browser in a place that *could* be confused by a user. This is an unintended consequence of the favicon design by Microsoft. Now, another thing becomes clearer, from your report and others: Microsoft implemented the display of the favicon only as accepted / chosen by the user. You have to add this site as a favourite. Other browsers - the competitors - went further and displayed the favicon on arrival at the site. I guess they felt that it could be more useful than Microsoft had intended. But, in this case, it seems that they may have stumbled on something that goes too far. What will save them in this case is that the numbers of users of such non-Microsoft browsers are relatively small. If the tables were turned, and it was Microsoft that was vulnerable, I'd confidentally predict that we would see some attempted exploits of this in the next month's phishing traffic. iang Aram Perez wrote: Hi Ian, Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for discovering a new way to futz with secure browsing. Click on http://www.pgp.com/ and you will see an SSL-protected page with that cute little padlock next to domain name. And they managed that over HTTP, as well! (This may not be seen in IE version 5 which doesn't load the padlock unless you add it to favourites, or some such.) Here what I saw when going to the PGP site: Windows XP Pro: IE 6.x: No padlock Firefox 0.9.2: Padlock on address bar and tab Mac OS 10.2.8: IE 5.2: No padlock Safari 1.0.2: Padlock on address bar but no on tab Fixfox 0.8: Padlock on address bar and tab Camino 0.7: Padlock on address bar and tab You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. I'm not sure if PGP deliberately set out to confuse naïve users since their logo has been the padlock for a while. Many web sites have their logo displayed on the address bar (and tab) when you go to there site, see http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the question. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Verifying Anonymity
Ben Laurie [EMAIL PROTECTED] writes: The recent conversation on SSL where Eric Rescorla was lampooned for saying (in effect) I've tried it on several occasions and it seemed to work, therefore it must be trustworthy to which he responded actually, that's a pretty reasonable way of assessing safety in systems where there's no attacker specifically targeting you prompted me to ask this ... if a system claims to give you anonymity, how do you (as a user) assess that claim? I find it hard to imagine how you can even know whether it seems to work, let alone has some subtle problem. That's clearly a much harder problem--and indeed I suspect it's behind the general lack of interest that the public has shown in anonymous systems. -Ekr - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Verifying Anonymity
[...] I find it hard to imagine how you can even know whether it seems to work, let alone has some subtle problem. That's clearly a much harder problem--and indeed I suspect it's behind the general lack of interest that the public has shown in anonymous systems. -Ekr The lack of understanding of how a solution works applies to most security products and in general to all computer products. Most people don't have a clue how an SSL encrypted session really protects your credit card number in transit, but allot of people are starting to realize that they should use it (they understand to some extent the problem SSL attempts to solve). With anonymity systems, I don't think understanding how a solution works is a problem to its wide-spread use, the problem is more that of understanding the *problem the solution attempts to solve*. People still don't understand the consequences of privacy invasion on the Internet (the problem). Once they do, they will be willing to pay for a solution from any trusted company, without needing to understand how the solution actually works. IMHO... --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: New Attack on Secure Browsing
You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. What I get is a bad certificate, and this is due to the fact that the certificate is issued to store.pgp.com and not www.pgp.com. Interestingly (maybe?), when you go and browse on their on-line store, and check something out to buy, the session is secured but with another certificate, one issued to secure.pgpstore.com. --Anton - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: New Attack on Secure Browsing
Anton Stiglic wrote: You stated that http://www.pgp.com is an SSL-protected page, but did you mean https://www.pgp.com? On my Powerbook, with all the browsers I get an error that the certificate is wrong and they end up at http://www.pgp.com. What I get is a bad certificate, and this is due to the fact that the certificate is issued to store.pgp.com and not www.pgp.com. Interestingly (maybe?), when you go and browse on their on-line store, and check something out to buy, the session is secured but with another certificate, one issued to secure.pgpstore.com. Just to clarify, there is no SSL cert involved - or there shouldn't be?! My original post was pointing out that it is possible to fool users by putting a favicon padlock in place. This seems to work only on non-IE browsers, as these are the ones that went further and display the favicon without further user intervention. If users can be so fooled, then they can be encouraged to enter their details as if they are logging into the site (not PGP but say e*Trade). Hey presto, stolen authentication, and stolen money. I didn't expect so much confusion on this point, but if indeed that wasn't obvious so much the better: that was the issue, that people could be easily confused! iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]