[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites
neil.smithline at gmail.com
Thu Jun 9 12:28:16 EDT 2005
Regarding 1, I am surprised that you have found so many sites with this
problem. When I speak with users they typically talk about looking for the
lock on their browser when they get the login page as one of the few if not
only security checks they perform. Alas, this isn't neccessarily helpful as
the site might have a login page in HTTPS but post the data over HTTP.
Regarding 2, no good reason. Especially being that the form login page can
avoid graphics or put the graphics over HTTP rather than HTTPS (although
some browsers warn about this it is not really a problem as we know that
users just ignore all of those browser warnings anyway :-). So, if
performance isn't the problem, what can be the reason?
Question 3 is a toughie in my mind. I think you have an obligation to treat
known vulnerabilities as confidential data and try and have them repaired
without exposing the sites and its users to unnecessary risk. You are asking
what to do when the owner of the site is unresponsive on the repair. Does it
then become your responsibility to warn people about the risks involved even
if you are perhaps simplifying the task of hackers? I'm not sure. Perhaps if
you can warn users in a way that doesn't divulge the information to hackers,
it is best. For example, how does the Netcraft toolbar deal with these
sites? Does it warn people? I suspect it does. Perhaps referring people to
use that is a good compromise. If you do decide to post these sites you
might give the sites a 30-day warning to let them fix it. If they don't, you
can post the site and a timeline of their refusal to fix.
On 6/9/05, Amir Herzberg <leests at gmail.com> wrote:
> Many login pages invoke SSL to protect the password in transit by a
> script, but do _not_ protect the login form itself. Of course, if the
> login form as in a spoofed site, users are unlikely to notice,
> considering the page is not even supposed to be protected; this will
> happen even if the users are security-savvy (most are not), and also
> if the user are protected by a browser extension or other mechanism
> that provides a clear indication of unprotected sites (such as
> Question 1: do you agree - or disagree - that this is a problem?
> Question 2: do you see a very good reason for these sites to operate
> in this way?
> Question 3: I keep a `hall of shame` listing such sites, but the owner
> of this list insisted I do not include it in this posting, although I
> told him I made all these sites aware of the issue long ago and any
> that cared to respond claimed they don't consider this a
> vulnerability. [except few that actually took care of it]. Do you
> agree with his policy? Do you think I should remove this list since it
> may help hackers? I think I made every reasonable effort to warn the
> If you are interested in other Q&A on phishing/spoofing, please see
> http://www.cs.biu.ac.il/~herzbea/shame/FAQ.htm. Comments and
> suggestions most welcome.
> Amir Herzberg
> Associate Professor, dept. of Computer Science
> Bar Ilan University
> The Web Security Mailing List
> The Web Security Mailing List Archives
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity