[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Amit Klein (AKsecurity) aksecurity at hotpop.com
Thu Jun 9 13:31:52 EDT 2005


On 9 Jun 2005 at 17:21, Amir Herzberg wrote:

> Many login pages invoke SSL to protect the password in transit by a
> script, but do _not_ protect the login form itself. Of course, if the
> login form as in a spoofed site, users are unlikely to notice,
> considering the page is not even supposed to be protected; this will
> happen even if the users are security-savvy (most are not), and also
> if the user are protected by a browser extension or other mechanism
> that provides a clear indication of unprotected sites (such as
> TrustBar).
> 

This has been discussed at length in the WebAppSec mailing list, 
about a year ago. The thread was started by Mark Curphey:
http://www.securityfocus.com/archive/107/370052/30/0/threaded


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list