|
WebApp Sec
mailing list archives
Re: Must we authenticate login forms (using SSL?)?
From: mike03051 () yahoo com
Date: 30 Sep 2005 00:25:12 -0000
Amir,
Thank you for the response and clarification. As to whether I am a security expert, it depends on whether in your
opinion a security expert is made through certification. If so, neither you nor I would qualify as neither of us
appears to flaunt any security certifications.
I gather from your response that we agree that HTTP and HTTPS pages are equally susceptible to both phishing and MITM
attacks. An attacker can always use a banks name url, as for example, citibank.ny02110.biz will work. All the attacker
needs to do is acquire a certificate for their site and they will be able to host an SSL site.
Since we agree on this point of fact, I find the entire HOS listing pointless and misleading. It is your choice as to
what you wish to do with it. Leave it up if you fell like it.
I do believe that TrustBar offers many advantages for a user who chooses to download it. Whether it can read the
certificate or not is probably not one of its major strengths as citibank.ny02110.biz is maybe just not enough
information for a user.
I do want to thank you for the insight into your tool and the explanation of the HOS reasoning.
Mike
 By Date 
By Thread
Current thread:
- RE: Must we authenticate login forms (using SSL?)?, (continued)
Re: Must we authenticate login forms (using SSL?)? mike03051 (Sep 29)
|
Intro
