WebApp Sec: Re: webappsec Digest 21 Sep 2005 21:26:31 -0000 Issue 636

[Amir Herzberg <amir.herzberg () gmail com>]

mike03051 () yahoo com said:

> Amir,
>
> Let’s differentiate the issues a bit for clarity. Specifically, let’s differentiate your Hall of Shame list from
> TrustBar features and functions.
> We should all be able to agree on statements of fact: 
> Both http: and https: (SSL) sites are subject to MITM exploits.
SSL sites may be subject to MITM exploits, but only when users do not 
check the identity of the subject and issuer in the certificate. Users 
can validate these identities easily using TrustBar, and in theory even 
without it.
Non-SSL sites (http:) are completely vulnerable to MITM - even the most 
expert user cannot detect spoofing... except for reading the source code 
which is clearly not practical...
Furthermore, non-SSL sites are subject also to phishing attacks, where 
the user is tricked
into requesting a wrong URL, e.g. from email. Again, SSL sites can be 
subject to such attack as well, but users are much better protected from 
it. Without TrustBar, attacker still has to get a cert for the URL from 
one of the CAs `trusted` by the browser (or trick the user into 
approving); most attackers simply present a non-SSL site (but some users 
may notice that). With TrustBar, there is a fair chance for detection 
even by naive users (noting that they don't get the right logo/name for 
the site).
> I wonder then what is the justification for placing some sites in your Hall of Shame listing. 
> It is not unreasonable to view your pages and come to the conclusion
> that HOS entries are there because they allow access to logon forms 
using an HTTP url.
Of course.
> If that is the case, then I take exception to the prima facia claims on your site that 
> These are Hall of Shame. They all submit secure web forms, like any other secure web site
> in the world. Your HOS identified sites are no more (or no less) susceptible to MITM
> than any other site in the world, either.
Well, I guess if you insist, I'll have to change something in my 
discussions. You may be the first security expert to actually insist on 
this claim (and that includes experts in companies that have unprotected 
login sites!). I think I've stated my arguments about as clearly as I 
can... So if you still disagree, just let me know if you consider 
yourself a security expert. I'm not saying that your opinion is 
irrelevant if you are not a security expert, it is just the I want to 
know if I need to modify my statement (that all security experts I've 
talked with agreed with non-SSL login sites being worthy of HoS...).
> Now as for TrustBar. I have not downloaded or tested TrustBar, so I cannot vouch for 
> how well it works, but from the web site it detects HTTPS connections and attempts to 
> match the certificate with the url. This helps to read a certificate. 
> One nice touch is the nice logo display for visual verification.
> Now a question: does it work if the certificate is valid but says something like 
> citibank.asecur-e.com? Do your company logo displays from a db or are they downloaded 
> from the site?
Of course it `works`, i.e., if you've set Citibank logo to the Citibank 
site (SSL protected or not) then you'll see if only in the respective 
Citibank site. Of course, this by itself does not protect users from a 
MITM attack if the site is unprotected. We are exploring some mechanisms 
for this, in particular the idea I've been asking this list about which 
is for sites to digitally sign the pages so they are secure from 
tampering (even by MITM...).
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame