[WEB SECURITY] Phishing/Spoofing FAQ, and questions re unprotected login sites

Achim Hoffmann kirke11 at securenet.de
Fri Jun 10 09:51:55 EDT 2005


On Thu, 9 Jun 2005, Will Jefferies wrote:

!! > It then should warn me, just like when I leave a https site.
!!
!! Are you saying that if a form posts out-of-domain, it should warn?  This
!! could get very annoying for a user if the alert is in the traditional way,
!! thus, forcing browser developers to give the option of turning it off.
!! And that's what everyone would do.  For instance, www.hotmail.com login
!! form posts to passport, so you would get a warning there.  But I do like
!! the idea, perhaps the alert could show up in one of those little floating
!! boxes (like outlook 2003 notification).

As Jeremiah suggested: the pattern to trigger the browser to check something
might be the type=password attribute.
Then I'd say that an alert is requierd for any of following conditions:
  - action's schema is http
  - form's action is different to current page (URI with full path)
  - form's method=GET
  - sending cookies without secure flag
  - any active scripting involved (onClick, etc.), sorry no details for now
  - sending domain cookies (needs to be further discussed)
  - sending cookies when path=/ (needs to discussed too)

This should keep the "secure form watchdog" silent in most cases. Just the
nasty ones popup.
Then we also have a reason (at least technical) to blame sites with logins
to/from other sites (passport, etc.).

The browser developers may give a GUI to these check conditions. If the
default is set to the strongest one and the user changes it, it's the user's
fault then.

-- Achim

!!
!! -----Original Message-----
!! From: Achim Hoffmann [mailto:kirke11 at securenet.de]
!! Sent: Thursday, June 09, 2005 10:39 AM
!!
!! But I'm starting to think about that this is a browser issue too, 'cause a browser should tell me where a form action goes too. It then should warn me, just like when I leave a https site.
!! Someone out there to teach browser developers?


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list