[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Amir Herzberg leests at gmail.com
Thu Jun 9 11:21:25 EDT 2005


Many login pages invoke SSL to protect the password in transit by a
script, but do _not_ protect the login form itself. Of course, if the
login form as in a spoofed site, users are unlikely to notice,
considering the page is not even supposed to be protected; this will
happen even if the users are security-savvy (most are not), and also
if the user are protected by a browser extension or other mechanism
that provides a clear indication of unprotected sites (such as
TrustBar).

Question 1: do you agree - or disagree - that this is a problem? 

Question 2: do you see a very good reason for these sites to operate
in this way?

Question 3: I keep a `hall of shame` listing such sites, but the owner
of this list insisted I do not include it in this posting, although I
told him I made all these sites aware of the issue long ago and any
that cared to respond claimed they don't consider this a
vulnerability. [except few that actually took care of it]. Do you
agree with his policy? Do you think I should remove this list since it
may help hackers? I think I made every reasonable effort to warn the
sites...

If you are interested in other Q&A on phishing/spoofing, please see
http://www.cs.biu.ac.il/~herzbea/shame/FAQ.htm. Comments and
suggestions most welcome.

-- 
Amir Herzberg
Associate Professor, dept. of Computer Science
Bar Ilan University
http://AmirHerzberg.com

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list