New Attack on Secure Browsing
Ian Grigg
iang at systemics.com
Fri Jul 16 14:25:11 EDT 2004
Anton Stiglic wrote:
>>You stated that http://www.pgp.com is an SSL-protected page, but did you
>>mean https://www.pgp.com? On my Powerbook, with all the browsers I get an
>>error that the certificate is wrong and they end up at http://www.pgp.com.
>
>
> What I get is a bad certificate, and this is due to the fact that the
> certificate is issued to store.pgp.com and not www.pgp.com.
> Interestingly (maybe?), when you go and browse on their on-line store, and
> check something out to buy, the session is secured but with another
> certificate, one issued to secure.pgpstore.com.
Just to clarify, there is no SSL cert involved - or
there shouldn't be?! My original post was pointing
out that it is possible to fool users by putting a
favicon padlock in place. This seems to work only
on non-IE browsers, as these are the ones that went
further and display the favicon without further
user intervention.
If users can be so fooled, then they can be encouraged
to enter their details as if they are logging into the
site (not PGP but say e*Trade). Hey presto, stolen
authentication, and stolen money.
I didn't expect so much confusion on this point, but
if indeed that wasn't obvious so much the better:
that was the issue, that people could be easily
confused!
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list