[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Will Jefferies wjefferies at fncinc.com
Thu Jun 9 11:56:08 EDT 2005


> It then should warn me, just like when I leave a https site.

Are you saying that if a form posts out-of-domain, it should warn?  This could get very annoying for a user if the alert is in the traditional way, thus, forcing browser developers to give the option of turning it off.  And that's what everyone would do.  For instance, www.hotmail.com login form posts to passport, so you would get a warning there.  But I do like the idea, perhaps the alert could show up in one of those little floating boxes (like outlook 2003 notification).

Sorry if this post arrives late.  For some reason, my posts to the list don't show up for a few hours.

Will



-----Original Message-----
From: Achim Hoffmann [mailto:kirke11 at securenet.de] 
Sent: Thursday, June 09, 2005 10:39 AM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

!! Question 1: do you agree - or disagree - that this is a problem?
agreed, we call this a semantic vulnerability (Jeremiah, please correct me:)

But I'm starting to think about that this is a browser issue too, 'cause a browser should tell me where a form action goes too. It then should warn me, just like when I leave a https site.
Someone out there to teach browser developers?

!! Question 2: do you see a very good reason for these sites to operate !! in this way?
only if performance counts (or they want to become subject for phishing;-)

-- Achim


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
 

Confidentiality Notice:  This message is for the sole use of the intended recipient(s).  It may contain confidential or proprietary information and may be subject to the attorney-client privilege or other confidentiality protections.  If this message was misdirected, neither FNC Holding Company, Inc. nor any of its subsidiaries waive any confidentiality, privilege, or trade secrets.  If you are not a designated recipient, you may not review, print, copy, retransmit, disseminate, or otherwise use this message.  If you have received this message in error, please notify the sender by reply e-mail and delete this message. Thank you.




---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list