[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Jeremiah Grossman jeremiah at whitehatsec.com
Thu Jun 9 12:09:21 EDT 2005


On Thursday, June 9, 2005, at 08:21  AM, Amir Herzberg wrote:
>
> Question 1: do you agree - or disagree - that this is a problem?

I think the scenario described is a choice between security and 
performance. To the user, convenience doesn't really play a role. 
Whether this can be classified as a "problem" or not depends on the 
data the website is protecting.

For instance, if I have a Web Mail account and all it does it receive 
mailing list traffic which I read and delete, I'm not too concerned if 
my password is sniffed and account compromised. I'll just register 
another account, re-subscribe and be on my merry way. Therefore, 
lacking an SSL login form is not really a problem for me.

If we are talking about my Web Bank account, where I do care about the 
security of my data. Then, I do see a problem if the form is not SSL 
enabled.

At the end of the day, I believe it really all comes down to the value 
of the data. If there is a question, the website should give the user a 
choice of which they feel more comfortable with.


> Question 2: do you see a very good reason for these sites to operate
> in this way?

Performance.


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list