Perry E. Metzger [EMAIL PROTECTED] writes:
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
Ken, you are correct (see below). And in fact, if the page came from the
right source (as validated by SSL and a secure browser extension such as
TrustBar), I don't think there is any need to validate the source (which
is impractical even for the geekest geek). After all, if a site is so
Few comments on what Ivars Suba wrote:
How to fight against phishing in organization enviroment?
Quite easy- put SSL termination Proxy between client browser and SSL
server:
Sure, but:
1. This doesn't have any effect on non-SSL-protected sites (e.g.
AmEx,... see `Hall of Shame`). And of course
Perry E. Metzger wrote:
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of
Ivars Suba responded to me:
1. This doesn't have any effect on non-SSL-protected sites (e.g.
AmEx,... see `Hall of Shame`). And of course assumes users will notice
the use of non-SSL-site...
Vowww.. I didn't know that AmEx is not ssl protected ;))
Before user credentials are passed to
R. Hirschfeld [EMAIL PROTECTED] writes:
From: Perry E. Metzger [EMAIL PROTECTED]
Date: Wed, 08 Jun 2005 19:01:37 -0400
The other major offender are organizations (such as portions of
Verizon) that subcontract payment systems to third parties. They are
training their users to expect to be
Ben Laurie [EMAIL PROTECTED] writes:
Perry E. Metzger wrote:
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who
Perry E. Metzger wrote:
Ben Laurie [EMAIL PROTECTED] writes:
Perry E. Metzger wrote:
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to
Perry E. Metzger wrote:
When I go to the SSL protected page, I can look at the URL and the
lock icon in the corner before typing in my password.
Bless you for being so careful. I, instead, look at the logo of the site
and of the CA as displayed in TrustBar. This is much easier, and
Amir Herzberg [EMAIL PROTECTED] writes:
Perry makes a lot of good points, but then gives a wrong example re
Amex site (see below). Amex is indeed one of the unprotected login
sites (see my `I-NFL Hall of Shame`,
http://AmirHerzberg.com/shame.html). However, Amex is one of the few
companies
Amir Herzberg wrote:
3. They did not actually spell out the problem in using SSL in the
homepage (like eTrade, for instance). But I think I know the reason
(they didn't confirm or deny). I think the reason is that they host
their site; in particlar, when I tried accessing it via https, I got
| Perry makes a lot of good points, but then gives a wrong example re Amex site
| (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL
| Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
| the few companies that actually responded seriously to my
Jerrold Leichter [EMAIL PROTECTED] writes:
If you look at their site now, they *claim* to have fixed it: The login box
has a little lock symbol on it. Click on that, and you get a pop-up window
discussing the security of the page. It says that although the page itself
isn't protected,
Cc: Amir Herzberg; cryptography@metzdowd.com
Subject: Re: AmEx unprotected login site
Jerrold Leichter [EMAIL PROTECTED] writes:
If you look at their site now, they *claim* to have fixed it: The
login box
has a little lock symbol on it. Click on that, and you get a pop-up
window
discussing
In message [EMAIL PROTECTED], Perry E. Metzger writes:
Jerrold Leichter [EMAIL PROTECTED] writes:
If you look at their site now, they *claim* to have fixed it: The login box
has a little lock symbol on it. Click on that, and you get a pop-up window
discussing the security of the page. It
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version of the page.
They're doing
In message [EMAIL PROTECTED], Perry E. Metzger writes:
Steven M. Bellovin [EMAIL PROTECTED] writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent
17 matches
Mail list logo