"James A. Donald" writes:
>The interesting thing is that it and similar phishes do not seem to have been
>all that successful - few people seemed to notice at all, the general
>reaction being to simply hit the spam key reflexively, much as people click
>away popup warnings reflexively, and are un
John Levine writes:
>> Clever though this scheme [kittens] is, man-in-the
>> middle attacks make it no better than a plain SSL
>> login screen.
Peter Gutmann wrote:
> You don't even need a MITM, just replace the site
> image on your phishing site with either a broken-
> image picture or a messag
On Wed, 25 Feb 2009 10:04:40 -0800
Ray Dillinger wrote:
> On Wed, 2009-02-25 at 14:53 +, John Levine wrote:
>
> > You're right, but it's not obvious to me how a site can tell an evil
> > MITM proxy from a benign shared web cache. The sequence of page
> > accesses would be pretty similar.
>
On Wed, 2009-02-25 at 14:53 +, John Levine wrote:
> You're right, but it's not obvious to me how a site can tell an evil
> MITM proxy from a benign shared web cache. The sequence of page
> accesses would be pretty similar.
There is no such thing as a "benign" web cache for secure pages.
If y
>This means a site paying attention to such things could notice a
>change in IP address, or, if several users were attacked this way,
>notice repeated connections from the same IP. (Granted the MITM
>could distribute the queries over a botnet, but it raises the bar
>somewhat.)
>
>I have no idea if
John Levine writes:
>Clever though this scheme is, man-in-the middle attacks make it no better
>than a plain SSL login screen.
You don't even need a MITM, just replace the site image on your phishing site
with either a broken- image picture or a message that your award-winning
site-image softw
Clever though this scheme is, man-in-the middle attacks make it no
better than a plain SSL login screen. Since the bad guy knows what site
you're trying to reach, he can use your usercode to fetch the shared
secret from the real site and present it to you on his fake site. It's
true, the fa
>you enter a usercode in the first screen, you are presented with a
>second screen to enter your password. The usercode is a mnemonic
>6-character code such as HB75RC (randomly generated, you receive from
>the server upon registration). Your password is freely choosen by you
>upon registration.That