New Attack on Secure Browsing
Aram Perez
aramperez at mac.com
Fri Jul 16 00:36:34 EDT 2004
Hi Ian,
> Congratulations go to PGP Inc - who was it, guys, don't be shy this
> time? - for discovering a new way to futz with secure browsing.
>
> Click on http://www.pgp.com/ and you will see an SSL-protected page
> with that cute little padlock next to domain name. And they managed
> that over HTTP, as well! (This may not be seen in IE version 5 which
> doesn't load the padlock unless you add it to favourites, or some
> such.)
Here what I saw when going to the PGP site:
Windows XP Pro:
IE 6.x: No padlock
Firefox 0.9.2: Padlock on address bar and tab
Mac OS 10.2.8:
IE 5.2: No padlock
Safari 1.0.2: Padlock on address bar but no on tab
Fixfox 0.8: Padlock on address bar and tab
Camino 0.7: Padlock on address bar and tab
You stated that http://www.pgp.com is an SSL-protected page, but did you
mean https://www.pgp.com? On my Powerbook, with all the browsers I get an
error that the certificate is wrong and they end up at http://www.pgp.com.
I'm not sure if PGP deliberately set out to confuse naïve users since their
logo has been the padlock for a while. Many web sites have their logo
displayed on the address bar (and tab) when you go to there site, see
http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the
question.
Respectfully,
Aram Perez
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list