[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Amit Klein (AKsecurity) aksecurity at hotpop.com
Thu Jun 9 13:31:52 EDT 2005

On 9 Jun 2005 at 17:21, Amir Herzberg wrote:

> Many login pages invoke SSL to protect the password in transit by a
> script, but do _not_ protect the login form itself. Of course, if the
> login form as in a spoofed site, users are unlikely to notice,
> considering the page is not even supposed to be protected; this will
> happen even if the users are security-savvy (most are not), and also
> if the user are protected by a browser extension or other mechanism
> that provides a clear indication of unprotected sites (such as
> TrustBar).

This has been discussed at length in the WebAppSec mailing list, 
about a year ago. The thread was started by Mark Curphey:

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list