WebApp Sec: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93

[Amir Herzberg <herzbea () macs biu ac il>]

Few responses tried to correct me, and explained that these `unprotected 
login forms`, e.g. of Chase and BoA, are Ok since they encrypt before 
sending the password. For example, Mike said:
>>As I suspected, the hall-of-shame posted on Amir's site may be a bit 
>>misguided since these pages do in-fact submit HTTPS (SSL) logins
Thanks - but you are wrong. Using SSL/TLS to send the password is 
insufficient to ensure security against Man In The Middle (MITM) 
adversary. A MITM attacker can send a fake login form to begin with.
This is a well known problem, which was discussed on this list. I 
explain it in details in the FAQ page of the Hall of Shame.
Indeed, I mentioned that we added to TrustBar two mechanisms to defend 
users of sites using unprotected login forms... The first solution 
simply redirects them to a protected alternative page, when we are aware 
of it. Such protected alternative alternative login pages exist for most 
banks who have unprotected login, e.g. Chase, Wachovia, US Bank, PayPal, 
BoA).
The other solution simply establishes that the login form was not 
modified - hence, preventing the MITM attack, while leaving the web page 
exactly as it was. This would work for sites that do not have a 
protected login at all - as long as their (unprotected) login page does 
not change. It would work better, if these pages were at least digitally 
signed...
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame