Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Must we authenticate login forms (using SSL?)?

Re: Must we authenticate login forms (using SSL?)?

From: Amir Herzberg <amir.herzberg_at_gmail.com>
Date: Sun, 02 Oct 2005 09:07:05 +0200

Mike, thanks.
>
> Thank you for the response and clarification.
...
>As to whether I am a security expert, it depends on whether in your
opinion a
> security expert is made through certification.
...
No, I just wanted to know if you consider yourself one, and I think your
reply counts as yes.
>
> I gather from your response that we agree that HTTP and HTTPS pages are equally susceptible to both
>phishing and MITM attacks.
No. We certainly agree on HTTP pages. Re HTTPS (SSL) pages, both my
intuition and my experiments seem to show that MITM and phishing attacks
  still have a significant chance to succeed with users of current
browsers, but a much lesser chance to succeed with browsers with
improved security indicators (e.g. FireFox with the TrustBar extension).
  There is still a non-negligible risk of non-detection (which we hope
to reduce further, e.g. by improving TrustBar). But is definitely not
`equally susceptible`, imho. Ignoring such significant improvement due
to the fact that risk is not completely eliminated is, imho, a mistake.

> An attacker can always use a bank’s name url, as for
> example, citibank.ny02110.biz will work. All the attacker needs to do is acquire a certificate for their site and they will be able to host an SSL site.
I definitely agree that this remains a viable attack, but, TrustBar does
reduce this threat significantly; and even without TrustBar, this attack
is substantially less likely to succeed compared to non-SSL site.
>
> Since we agree on this point of fact, I find the entire HOS listing pointless and misleading.
Well so we don't agree here... that happens.
>
> I do believe that TrustBar offers many advantages for a user who chooses to download it.
Thanks!
> Whether it can read the certificate or not is probably not one of its major strengths as
> citibank.ny02110.biz is maybe just not enough information for a user.
But, TrustBar presents more than this!! In your first contact with the
bank, you'll get their _name_; in particular for Citibank, you get
`Citigroup` - which an attacker is not likely to be able to get signed
by any CA (I hope!)... And then the customer will hopefully usually
assign a logo or a personal name - and this is something that the
spoofed site has no way of getting at all.

Customer can also assign name/logo to non-https sites, but this will
fail against a MITM attacker...

Thanks a lot for your feedback and best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
Received on Oct 02 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]