Re: More US bank silliness

2008-09-08 Thread Sebastian Krahmer

Hi,

This reminds me the most weird SSL related error message I have ever
seen and which is there since ages:

https://www.fbi.gov

Beside that the certificate is wrong :-)

regards,
Sebastian

On Mon, Sep 08, 2008 at 01:29:34AM +1200, Peter Gutmann wrote:

 In the ongoing comedy of errors that is US online banking security I've just
 run into another one that's good for a giggle: Go to www.wachovia.com and,
[...]

---
~~ perl self.pl
~~ $_='print\$_=\47$_\47;eval';eval
~~ [EMAIL PROTECTED] - SuSE Security Team
~~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


No Legitimate Expectation of Privacy for Data on Office Computer, Court Says

2008-09-08 Thread Ali, Saqib
An employee has no reasonable expectation of privacy in personal files
stored on a company-owned computer and an employer's consent makes a
police search lawful, an appeals court says in a ruling of first
impression in New Jersey.

We conclude ... that neither the law nor society recognize as
legitimate defendant's subjective expectation of privacy in a
workplace computer he used to commit a crime, Judge Marie Simonelli
wrote for the three-judge panel in State v. M.A., A-4922-06.

Read More:
http://www.law.com/jsp/article.jsp?id=1202424228730


saqib
http://doctrina.wordpress.com/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


once more, with feeling.

2008-09-08 Thread Perry E. Metzger

I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):

What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?

I'm not going to explain why this is wrong. It should be obvious. If
it isn't obvious to you, you should try thinking like an attacker for
a few moments. If it still isn't obvious to you why this is very bad,
read the list archives.

(I won't be forwarding followups to this unless they are unusually
interesting.)

Perry
-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: More US bank silliness

2008-09-08 Thread Sam Hartman
 Peter == Peter Gutmann [EMAIL PROTECTED] writes:

Peter On a semi-related topic, it'd be interesting to get some
Peter discussion about FF3 removing the FF2 SSL indicators of the
Peter padlock and (more visibly) the background colour-change for
Peter the URL bar when SSL is active and replacing it with a
Peter spoof-friendly indicator that's part of the favicon,
Peter i.e. part of the attacker-controlled content.  The URL bar
Peter colouring was by far the most visible security indicator
Peter that any web browser had, the giant leap backwards of
Peter moving to a near-invisible blue border around the favicon
Peter does nothing to indicate security and is trivially spoofed
Peter by putting a blue border around the favicon.  There's a
Peter bugzilla bug filed against it,
Peter https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with
Peter inevitable dups,


Peter, list, the W3C W Web Security Context working group is in the
final week of a public last call on their user interface guidelines.
These guidelines take a lookboth at the balance between EV-certs and
at user interface for security indicators.

Comments need to be received by September 15. The draft is at
http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ and my take is at
http://www.painless-security.com/blog/2008/08/w3sc-lc/ .

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-08 Thread Darren J Moffat

Perry E. Metzger wrote:

I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):

What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?


[snip]


(I won't be forwarding followups to this unless they are unusually
interesting.)


Hopefully this is interesting enough to get forwarded on...

Sadly this practice is all too common, and often goes hand in hand with 
the other cardinal sin of https that of mixed http/https pages.


I believe the only way both of these highly dubious deployment practices 
will be stamped out is when the browsers stop allowing users to see such 
web pages. So that there becomes a directly attributable financial 
impact to the sites that deploy in that way.


As much as I like Firefox  Safari [ the only two browsers I use now ] 
this has to be led by Microsoft with Internet Explorer since that will 
have the biggest impact, given IE 8 is in beta this seems like a perfect 
opportunity to get this in as a change for the next version.


Warnings aren't enough in this context [ whey already exists ] the only 
thing that will work is stopping the page being seen - replacing it with 
a clearly worded explanation with *no* way to pass through and render 
the page (okay maybe with a debug build of the browser but not in the 
shipped product).



--
Darren J Moffat

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-08 Thread Paul Hoffman

At 4:16 PM +0100 9/8/08, Darren J Moffat wrote:

Hopefully this is interesting enough to get forwarded on...


Ditto. :-)

Warnings aren't enough in this context [ whey already exists ] the 
only thing that will work is stopping the page being seen - 
replacing it with a clearly worded explanation with *no* way to pass 
through and render the page (okay maybe with a debug build of the 
browser but not in the shipped product).


It depends on how we think change can be achieved. Until now, people 
designing pages using bad security practices balanced their laziness 
with the fact that their content would be displayed anyway so 
whatever. You are proposing moving to the other extreme. Given how 
easy your solution would be for browser vendors to implement, we have 
to assume that they have considered it and rejected it.


A less extreme solution would be to make the warning the user sees on 
a mixed-content page more insulting to the bank. This page contains 
both encrypted and non-encrypted content and is inherently insecure. 
The owner of this web site has clearly made a very poor security 
decision in showing this page to you. It is likely that other pages 
on this site also have similarly poor security. Knowing this, do you 
wish to continue anyway?


--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-08 Thread Arshad Noor

Paul Hoffman wrote:


A less extreme solution would be to make the warning the user sees on a 
mixed-content page more insulting to the bank. This page contains both 
encrypted and non-encrypted content and is inherently insecure. The 
owner of this web site has clearly made a very poor security decision in 
showing this page to you. It is likely that other pages on this site 
also have similarly poor security. Knowing this, do you wish to continue 
anyway?




A more optimal solution is to have this vulnerability accepted by
the OWASP community as a Top 10 security vulnerability; it will
have the appropriate intended effect since mitigation to the OWASP
defined vulnerabilities is required in PCI-DSS:

6.5 Develop all web applications based on secure coding guidelines
such as the Open Web Application Security Project guidelines

https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
http://www.owasp.org/index.php/Top_10_2007

Arshad Noor
StrongAuth, Inc.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-08 Thread Darren Lasko
Arshad Noor wrote:
 A more optimal solution is to have this vulnerability accepted by
 the OWASP community as a Top 10 security vulnerability; it will
 have the appropriate intended effect since mitigation to the OWASP
 defined vulnerabilities is required in PCI-DSS:
 
 6.5 Develop all web applications based on secure coding guidelines
 such as the Open Web Application Security Project guidelines
 

Isn't this vulnerability already in the Top 10, specifically A7 - Broken 
Authentication and Session Management (
http://www.owasp.org/index.php/Top_10_2007-A7)?

From the Protection section for A7:

Do not allow the login process to start from an unencrypted page. Always 
start the login process from a second, encrypted page with a fresh or new 
session token to prevent credential or session stealing, phishing attacks 
and session fixation attacks.

Best regards,
Darren Lasko
Principal Engineer
Advanced Development Group, Storage Products
Fujitsu Computer Products of America

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-08 Thread Arshad Noor

Darren Lasko wrote:

Arshad Noor wrote:


6.5 Develop all web applications based on secure coding guidelines
such as the Open Web Application Security Project guidelines



Isn't this vulnerability already in the Top 10, specifically A7 - Broken 
Authentication and Session Management (

http://www.owasp.org/index.php/Top_10_2007-A7)?



I was just informed of this 10 minutes ago, privately.

Not sure how I missed this the last time I read the document
(perhaps because I was focusing on remediating an application
related to two other vulnerabilities on a project), but the
bank examiners also apparently missed this for Wachovia.

While login pages are not required to be PCI-DSS compliant
(since they generally do not deal with credit card numbers,
it has been my impression that many companies are adopting
OWASP guidelines for all their web-projects.  Perhaps its
taking time for some more than others.

Arshad Noor
StrongAuth, Inc.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: once more, with feeling.

2008-09-08 Thread Adam Shostack
On Mon, Sep 08, 2008 at 04:16:46PM +0100, Darren J Moffat wrote:
| 
| I believe the only way both of these highly dubious deployment practices 
| will be stamped out is when the browsers stop allowing users to see such 
| web pages. So that there becomes a directly attributable financial 
| impact to the sites that deploy in that way.
| 
| As much as I like Firefox  Safari [ the only two browsers I use now ] 
| this has to be led by Microsoft with Internet Explorer since that will 
| have the biggest impact, given IE 8 is in beta this seems like a perfect 
| opportunity to get this in as a change for the next version.

Not speaking for my employer here.

Most browser vendors try to display pages as best they can.  Both end
users and businesses get very upset at browser makers who push
security improvements by breaking existing practices.

If such changes were to happen, then they should either be emergency
(seems unlikely, given how long this has been around) or planned and
communicated.  Adding something high impact after beta 2 doesn't seem
like good communication.

What makes now the perfect time to address an issue which has been
present for quite soem time?

Adam

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]