[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Amir Herzberg leests at gmail.com
Thu Jun 9 11:21:25 EDT 2005

Many login pages invoke SSL to protect the password in transit by a
script, but do _not_ protect the login form itself. Of course, if the
login form as in a spoofed site, users are unlikely to notice,
considering the page is not even supposed to be protected; this will
happen even if the users are security-savvy (most are not), and also
if the user are protected by a browser extension or other mechanism
that provides a clear indication of unprotected sites (such as

Question 1: do you agree - or disagree - that this is a problem? 

Question 2: do you see a very good reason for these sites to operate
in this way?

Question 3: I keep a `hall of shame` listing such sites, but the owner
of this list insisted I do not include it in this posting, although I
told him I made all these sites aware of the issue long ago and any
that cared to respond claimed they don't consider this a
vulnerability. [except few that actually took care of it]. Do you
agree with his policy? Do you think I should remove this list since it
may help hackers? I think I made every reasonable effort to warn the

If you are interested in other Q&A on phishing/spoofing, please see
http://www.cs.biu.ac.il/~herzbea/shame/FAQ.htm. Comments and
suggestions most welcome.

Amir Herzberg
Associate Professor, dept. of Computer Science
Bar Ilan University

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list