[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Jeremiah Grossman jeremiah at whitehatsec.com
Thu Jun 9 12:09:21 EDT 2005

On Thursday, June 9, 2005, at 08:21  AM, Amir Herzberg wrote:
> Question 1: do you agree - or disagree - that this is a problem?

I think the scenario described is a choice between security and 
performance. To the user, convenience doesn't really play a role. 
Whether this can be classified as a "problem" or not depends on the 
data the website is protecting.

For instance, if I have a Web Mail account and all it does it receive 
mailing list traffic which I read and delete, I'm not too concerned if 
my password is sniffed and account compromised. I'll just register 
another account, re-subscribe and be on my merry way. Therefore, 
lacking an SSL login form is not really a problem for me.

If we are talking about my Web Bank account, where I do care about the 
security of my data. Then, I do see a problem if the form is not SSL 

At the end of the day, I believe it really all comes down to the value 
of the data. If there is a question, the website should give the user a 
choice of which they feel more comfortable with.

> Question 2: do you see a very good reason for these sites to operate
> in this way?


The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list