Joshua Slive wrote:
On 2/6/06, Mark McCulligh <[EMAIL PROTECTED]> wrote:
The client should alway be logging
in on their website for I hope they reallize if they where not on their
website.
I'm not sure if you understood or not, but my point was that a
man-in-the-middle could make it look exactly like they were on their
own site. He could simply replace the target URL on the form to point
to his own site. (If you checked the URL-bar, you might see
after-the-fact that you had gone to the wrong site. But the data
would already be stolen.)
I think you misunderstood my reply. I was just trying to explain my setup.
This type of attack can be pulled off even if the login form is secured.
The attacker just has create a login page that looks like mine and get
the user to use it. A lot of users won't realize they are on the wrong
website and the lock(secure) is missing. We have all seen those Paypal
emails that try and get you to click on the link and login.
Mark.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
[EMAIL PROTECTED]
(519)318-7905
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
