Defending users of unprotected login pages with TrustBar 0.4.9.93
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Mon Sep 19 12:05:21 EDT 2005
On Mon, Sep 19, 2005 at 02:54:14PM +0200, Amir Herzberg wrote:
> We now added a mechanism
> computes a hash of every unprotected site for which the user has
> assigned name/logo. TrustBar compares this hash on subsequent accesses
> to the same site. If the site is not modified in five subsequent
> accesses, TrustBar begins displaying `Same since <date>`; and when the
> site changes, TrustBar displays a warning. This can help users notice a
> fake version of their login page. Unfortunately, this mechanism does not
> work very well on most real-life login pages, since most of them contain
> a tiny bit of frequently-changing data such as date or `random`
> identifiers (mostly to identify a cookie-less client, we think). We are
> working on improving the mechanism so it will be tolerant to such tiny
> changes, without exposing the user to malicious changes.
>
You could consider hashing Just all <SCRIPT>...</SCRIPT> content,
the action URIs of all forms, and the targets of all links, ignoring
superficial content changes and changes in layout (sort the hashed
items).
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list