Re: Defending users of unprotected login pages with TrustBar 0.4.9.93

[Anne & Lynn Wheeler]

Axley, Jason wrote:
> I think that this trades one security problem for others in the
> application security realm.  Sites that allow for equivalent functional
> duality in either HTTPS or HTTP protocols often suffer from problems
> where the HTTPS site inadvertently references an HTTP URL instead of
> HTTPS when doing something sensitive.  Most people won't notice the
> insecurity because the site "still works".  I prefer when applications
> break in insecure ways that they break loudly.

and the latest phishing
http://www.techweb.com/wire/security/171100298;jsessionid=EE0OXQCFILSOEQSNDBCCKHSCJUMEKJVN

New Phish Deceives With Phony Certificates

A new, advanced form a phishing dubbed "secured phishing" because it
relies on self-signed digital certificates, can easily fool all but the
most cautious consumers, a security firm warned Thursday.

... snip ...

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

[Clips] NSA granted Net location-tracking patent

[R.A. Hettinga]

--- begin forwarded text


 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 22 Sep 2005 11:47:03 -0400
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R.A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] NSA granted Net location-tracking patent
 Reply-To: [EMAIL PROTECTED]
 Sender: [EMAIL PROTECTED]

 

 CNET News


  NSA granted Net location-tracking patent

  By Declan McCullagh

  Story last modified Wed Sep 21 13:49:00 PDT 2005


 The National Security Agency has obtained a patent on a method of figuring
 out an Internet user's geographic location.

 Patent 6,947,978, granted Tuesday, describes a way to discover someone's
 physical location by comparing it to a "map" of Internet addresses with
 known locations.

 The NSA did not respond Wednesday to an interview request, and the patent
 description talks only generally about the technology's potential uses. It
 says the geographic location of Internet users could be used to "measure
 the effectiveness of advertising across geographic regions" or flag a
 password that "could be noted or disabled if not used from or near the
 appropriate location."

 Other applications of the geo-location patent, invented by Stephen Huffman
 and Michael Reifer of Maryland, could relate to the NSA's signals
 intelligence mission--which is, bluntly put, spying on the communications
 of non-U.S. citizens.

 "If someone's engaged in a dialogue or frequenting a 'bad' Web site, the
 NSA might want to know where they are," said Mike Liebhold, a senior
 researcher at the Institute for the Future who has studied geo-location
 technology. "It wouldn't give them precision, but it would give them a clue
 that they could use to narrow down the location with other intelligence
 methods."

 The NSA's patent relies on measuring the latency, meaning the time lag
 between computers exchanging data, of "numerous" locations on the Internet
 and building a "network latency topology map." Then, at least in theory,
 the Internet address to be identified can be looked up on the map by
 measuring how long it takes known computers to connect to the unknown one.



 The technique isn't foolproof. People using a dial-up connection can't be
 traced beyond their Internet service provider--which could be in an
 different area of the country--and it doesn't account for proxy services
 like Anonymizer.

 Geo-location, sometimes called "geo-targeting" when used to deliver
 advertising, is an increasingly attractive area for Internet businesses.
 DoubleClick has licensed geo-location technology to deliver
 location-dependent advertising, and Visa has signed a deal to use the
 concept to identify possible credit card fraud in online orders.

 Digital Envoy holds a patent on geo-location, and Quova, a privately held
 firm in Mountain View, Calif., holds three more, one shared with Microsoft.

 "It's honestly not clear that there's anything special or technically
 advanced about what they're describing," Quova Vice President Gary Jackson
 said, referring to the NSA's patent. "I'd have to have our technical guys
 read it, but I don't think it impacts us in any way."

 --
 -
 R. A. Hettinga 
 The Internet Bearer Underwriting Corporation 
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 ___
 Clips mailing list
 [EMAIL PROTECTED]
 http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Defending users of unprotected login pages with TrustBar 0.4.9.93

[Axley, Jason]

David Wagner writes:

> One thing that web sites could do to help is to always make
> https://www.foo.com work just as well as http://www.foo.com, and
> then browser plug-ins could simply translate http://www.foo.com ->
> https://www.foo.com for all sensitive sites.  Of course, web site
> operators may be reluctant to take this step on performance grounds.

I think that this trades one security problem for others in the
application security realm.  Sites that allow for equivalent functional
duality in either HTTPS or HTTP protocols often suffer from problems
where the HTTPS site inadvertently references an HTTP URL instead of
HTTPS when doing something sensitive.  Most people won't notice the
insecurity because the site "still works".  I prefer when applications
break in insecure ways that they break loudly.

Security is a delicate dance.  Again, it all depends on the threat model
and the relative probability and impact of each threat.

-Jason

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Java: Helping the world build bigger idiots

[Olle Mulmo]

On Sep 21, 2005, at 23:27, Steve Furlong wrote:


If by that you mean, "Program dumb: avoid tricky code, avoid odd
usage, stick to the basics", I agree. Save your clever tricks for
hobby code and the snippets you use to score hot chicks. Critical
code, potentially dangerous code, and professional code should be
written simply and with the idioms standard to the language.


Peter's example is "standard to the language". It's just not used much 
by those influenced by other idioms prior to learning Java.


I guess another way of saying this is: the people on this list are 
getting old. :-)


/Olle


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Defending users of unprotected login pages with TrustBar 0.4.9.93

[Amir Herzberg]

Adam Back wrote:

I would think it would be safer to block the site, or provide a
warning dialog.  


Before we do the first redirection, we do ask the user. However, since 
TrustBar is really part of our research on secure usability, we are 
aware that asking the user is a very problematic mechanism. Namely, we 
expect most users to simply click `yes` and forget about it. That's why 
I referred to it as default.


Seems that I must repeat my request: a lot of you seem to agree that 
current browser security UI is broken, here are we developed a seemingly 
usable tool trying to fix it, takes 2-3 minutes to install - why don't 
you spend that time and then tell us how to improve (or to stop wasting 
our time as well as your 5 minutes)? Of course, what we'll really love 
(for our usability data) is for you also to get some non-expert users to 
try to use the system... someone who really uses e-banking and cares 
about the (very real threat) of spoofing/phishing...


(This is what I was expecting when I started reading

the head post; I was bit surprised at the interventionism to actually
go ahead and "fix" the site, maybe that would be a better default
behavior).
Actually, from other feedback we got, I think we may extend the 
mechanism to be even more active, to protect also these pages which are 
not in our list of `known` unprotected login sites with a protected 
alternate site. What we may do is to archive a copy of these sites in 
your machine, and redirect you to the archived copy if/when the site 
`really` changes. This is a bit tricky as we need to ignore these small, 
insignificant changes that many of these sites do.



btw Regarding unadvertised SSL equivalents, I have noticed if you
login to gmail, you get SSL for login, but then http for web mailer.
However if you edit the URL after login to https, it appears to work
ok over SSL also.
cool, this may also be something we can do for users (essentially 
requires us extending the auto-redirection features with wildcard 
functionality).


--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Java: Helping the world build bigger idiots

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Steve Furlong writes:

>
>On a related note, I've worked a bit with avionics and embedded
>medical software. The certification requirements for those bits of
>critical code might be helpful for crypto programming.
>

Not quite.  The name of the game is information security, and that's 
far more than crypto.  Sometimes, in fact, the two conflict.

--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]