Re: More US bank silliness
* Peter Gutmann: On a semi-related topic, it'd be interesting to get some discussion about FF3 removing the FF2 SSL indicators of the padlock and (more visibly) the background colour-change for the URL bar when SSL is active and replacing it with a spoof-friendly indicator that's part of the favicon, i.e. part of the attacker-controlled content. To keep this in perspective, note that you could disable the location bar altogether in FF2 (and that default changed in FF3), so the FF3 approach is actually an improvement. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: More US bank silliness
Hi, This reminds me the most weird SSL related error message I have ever seen and which is there since ages: https://www.fbi.gov Beside that the certificate is wrong :-) regards, Sebastian On Mon, Sep 08, 2008 at 01:29:34AM +1200, Peter Gutmann wrote: In the ongoing comedy of errors that is US online banking security I've just run into another one that's good for a giggle: Go to www.wachovia.com and, [...] --- ~~ perl self.pl ~~ $_='print\$_=\47$_\47;eval';eval ~~ [EMAIL PROTECTED] - SuSE Security Team ~~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: More US bank silliness
Peter == Peter Gutmann [EMAIL PROTECTED] writes: Peter On a semi-related topic, it'd be interesting to get some Peter discussion about FF3 removing the FF2 SSL indicators of the Peter padlock and (more visibly) the background colour-change for Peter the URL bar when SSL is active and replacing it with a Peter spoof-friendly indicator that's part of the favicon, Peter i.e. part of the attacker-controlled content. The URL bar Peter colouring was by far the most visible security indicator Peter that any web browser had, the giant leap backwards of Peter moving to a near-invisible blue border around the favicon Peter does nothing to indicate security and is trivially spoofed Peter by putting a blue border around the favicon. There's a Peter bugzilla bug filed against it, Peter https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with Peter inevitable dups, Peter, list, the W3C W Web Security Context working group is in the final week of a public last call on their user interface guidelines. These guidelines take a lookboth at the balance between EV-certs and at user interface for security indicators. Comments need to be received by September 15. The draft is at http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ and my take is at http://www.painless-security.com/blog/2008/08/w3sc-lc/ . - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
More US bank silliness
In the ongoing comedy of errors that is US online banking security I've just run into another one that's good for a giggle: Go to www.wachovia.com and, without entering any credentials, click 'Login' on their unsecured logon page. You get taken to an authenticated, SSL-secured... error message page. The error message page gives you a chance to retry your logon, carefully redirecting you back to the insecure logon page. So displaying a glorified 401 requires SSL, but obtaining user credentials doesn't. (Insert standard moan about US banks here). On a semi-related topic, it'd be interesting to get some discussion about FF3 removing the FF2 SSL indicators of the padlock and (more visibly) the background colour-change for the URL bar when SSL is active and replacing it with a spoof-friendly indicator that's part of the favicon, i.e. part of the attacker-controlled content. The URL bar colouring was by far the most visible security indicator that any web browser had, the giant leap backwards of moving to a near-invisible blue border around the favicon does nothing to indicate security and is trivially spoofed by putting a blue border around the favicon. There's a bugzilla bug filed against it, https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with inevitable dups, e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=431495) but there's no indication that the FF developers are interested in fixing it. From the discussion thread on bugzilla it seems the reason is that only EV certs matter so there's no point in paying much attention to non-EV certs. (Again, roll standard music about EV certs benefitting no-one but the CAs selling them). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]