[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Thu Jun 9 12:28:16 EDT 2005

Regarding 1, I am surprised that you have found so many sites with this 
problem. When I speak with users they typically talk about looking for the 
lock on their browser when they get the login page as one of the few if not 
only security checks they perform. Alas, this isn't neccessarily helpful as 
the site might have a login page in HTTPS but post the data over HTTP.

Regarding 2, no good reason. Especially being that the form login page can 
avoid graphics or put the graphics over HTTP rather than HTTPS (although 
some browsers warn about this it is not really a problem as we know that 
users just ignore all of those browser warnings anyway :-). So, if 
performance isn't the problem, what can be the reason?

Question 3 is a toughie in my mind. I think you have an obligation to treat 
known vulnerabilities as confidential data and try and have them repaired 
without exposing the sites and its users to unnecessary risk. You are asking 
what to do when the owner of the site is unresponsive on the repair. Does it 
then become your responsibility to warn people about the risks involved even 
if you are perhaps simplifying the task of hackers? I'm not sure. Perhaps if 
you can warn users in a way that doesn't divulge the information to hackers, 
it is best. For example, how does the Netcraft toolbar deal with these 
sites? Does it warn people? I suspect it does. Perhaps referring people to 
use that is a good compromise. If you do decide to post these sites you 
might give the sites a 30-day warning to let them fix it. If they don't, you 
can post the site and a timeline of their refusal to fix. 

- Neil

On 6/9/05, Amir Herzberg <leests at gmail.com> wrote:
> 
> Many login pages invoke SSL to protect the password in transit by a
> script, but do _not_ protect the login form itself. Of course, if the
> login form as in a spoofed site, users are unlikely to notice,
> considering the page is not even supposed to be protected; this will
> happen even if the users are security-savvy (most are not), and also
> if the user are protected by a browser extension or other mechanism
> that provides a clear indication of unprotected sites (such as
> TrustBar).
> 
> Question 1: do you agree - or disagree - that this is a problem?
> 
> Question 2: do you see a very good reason for these sites to operate
> in this way?
> 
> Question 3: I keep a `hall of shame` listing such sites, but the owner
> of this list insisted I do not include it in this posting, although I
> told him I made all these sites aware of the issue long ago and any
> that cared to respond claimed they don't consider this a
> vulnerability. [except few that actually took care of it]. Do you
> agree with his policy? Do you think I should remove this list since it
> may help hackers? I think I made every reasonable effort to warn the
> sites...
> 
> If you are interested in other Q&A on phishing/spoofing, please see
> http://www.cs.biu.ac.il/~herzbea/shame/FAQ.htm. Comments and
> suggestions most welcome.
> 
> --
> Amir Herzberg
> Associate Professor, dept. of Computer Science
> Bar Ilan University
> http://AmirHerzberg.com
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20050609/4a0ac44c/attachment.html>