Perry E. Metzger wrote:
When I go to the SSL protected page, I can look at the URL and the
lock icon in the corner before typing in my password.
Bless you for being so careful. I, instead, look at the logo of the site
and of the CA as displayed in TrustBar. This is much easier, and
protect
Perry E. Metzger wrote:
Ben Laurie <[EMAIL PROTECTED]> writes:
Perry E. Metzger wrote:
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going t
Ben Laurie <[EMAIL PROTECTED]> writes:
> Perry E. Metzger wrote:
>> "Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and n
"R. Hirschfeld" <[EMAIL PROTECTED]> writes:
>> From: "Perry E. Metzger" <[EMAIL PROTECTED]>
>> Date: Wed, 08 Jun 2005 19:01:37 -0400
>
>> The other major offender are organizations (such as portions of
>> Verizon) that subcontract payment systems to third parties. They are
>> training their users
Ivars Suba responded to me:
1. This doesn't have any effect on non-SSL-protected sites (e.g.
AmEx,... see `Hall of Shame`). And of course assumes users will notice
the use of non-SSL-site...
Vowww.. I didn't know that AmEx is not ssl protected ;))
Before user credentials are passed to si
Perry E. Metzger wrote:
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
They're still doing the wrong thing. Unless the page was transmitted
to you securely, you have no way to trust that your username and
password are going to them and not to someone who cleverly sent you an
altered version o
Few comments on what Ivars Suba wrote:
How to fight against phishing in organization enviroment?
Quite easy- put SSL termination Proxy between client browser and SSL
server:
Sure, but:
1. This doesn't have any effect on non-SSL-protected sites (e.g.
AmEx,... see `Hall of Shame`). And of course
> From: "Perry E. Metzger" <[EMAIL PROTECTED]>
> Date: Wed, 08 Jun 2005 19:01:37 -0400
> The other major offender are organizations (such as portions of
> Verizon) that subcontract payment systems to third parties. They are
> training their users to expect to be directed to a site they don't
> rec
Ken, you are correct (see below). And in fact, if the page came from the
right source (as validated by SSL and a secure browser extension such as
TrustBar), I don't think there is any need to validate the source (which
is impractical even for the geekest geek). After all, if a site is so
cluele
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:
>"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone who cleverly
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>That's why Citibank and most well run bank sites have you click on a
>>button on the front page to go to the login screen. There are ways to
>>handle this correctly.
>
> There's an attack there, too -- one can divert the link to the login
> scree
In message <[EMAIL PROTECTED]>, "Perry E. Metzger" writes:
>
>"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>>They're still doing the wrong thing. Unless the page was transmitted
>>>to you securely, you have no way to trust that your username and
>>>password are going to them and not to someone
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>>They're still doing the wrong thing. Unless the page was transmitted
>>to you securely, you have no way to trust that your username and
>>password are going to them and not to someone who cleverly sent you an
>>altered version of the page.
>
> The
In message <[EMAIL PROTECTED]>, "Perry E. Metzger" writes:
>
>Jerrold Leichter <[EMAIL PROTECTED]> writes:
>> If you look at their site now, they *claim* to have fixed it: The login box
>
>> has a little lock symbol on it. Click on that, and you get a pop-up window
>> discussing the security of
Jerrold Leichter wrote:
> | Perry makes a lot of good points, but then gives a wrong example re Amex
> site
> | (see below). Amex is indeed one of the unprotected login sites (see my
> `I-NFL
> | Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
> | the few companies th
chter
Cc: Amir Herzberg; cryptography@metzdowd.com
Subject: Re: AmEx unprotected login site
Jerrold Leichter <[EMAIL PROTECTED]> writes:
> If you look at their site now, they *claim* to have fixed it: The
login box
> has a little lock symbol on it. Click on that, and you ge
Jerrold Leichter <[EMAIL PROTECTED]> writes:
> If you look at their site now, they *claim* to have fixed it: The login box
> has a little lock symbol on it. Click on that, and you get a pop-up window
> discussing the security of the page. It says that although the page itself
> isn't protect
| Perry makes a lot of good points, but then gives a wrong example re Amex site
| (see below). Amex is indeed one of the unprotected login sites (see my `I-NFL
| Hall of Shame`, http://AmirHerzberg.com/shame.html). However, Amex is one of
| the few companies that actually responded seriously to my
Amir Herzberg wrote:
3. They did not actually spell out the problem in using SSL in the
homepage (like eTrade, for instance). But I think I know the reason
(they didn't confirm or deny). I think the reason is that they host
their site; in particlar, when I tried accessing it via https, I got an
Amir Herzberg <[EMAIL PROTECTED]> writes:
> Perry makes a lot of good points, but then gives a wrong example re
> Amex site (see below). Amex is indeed one of the unprotected login
> sites (see my `I-NFL Hall of Shame`,
> http://AmirHerzberg.com/shame.html). However, Amex is one of the few
> compa
20 matches
Mail list logo