A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)

[Amir Herzberg]

Adam Shostack wrote:
> On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote:
> | Want to see a simple, working method to spoof sites, fooling 
> | Mozilla/FireFox/... , even with an SSL certificate and `lock`?
> | 
> | http://www.shmoo.com/idn/
> | 
> |  See also:
> | 
> |   http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3866526512
> | 
> | Want to protect your Mozilla/FireFox from such attacks? Install our 
> | TrustBar: http://TrustBar.Mozdev.org
> | (this was the first time that I had a real reason to click the `I don't 
> | trust this authority` button...)
> | 
> | Opinions?
> 
> Just because you can demonstrate that you're pre-emptively and
> pro-actively blocking attacks that the beat the current system doesn't
> mean ....
> 
> I can't go on.  My head would explode.
No need to. I quite agree and certainly didn't claim that this (the fact 
TrustBar helps against this attack) is proof of TrustBar's value; after 
all I've been arguing for its value way before... It is just that this 
attack exactly highlights our claims about the need to improve 
visibility and in particular to make the CA a `brand` known to end user.
> 
> Have you run end-user testing to demonstrate the user-acceptability of
> Trustbar?
So far, I'm afraid we've done only `dry` surveys (which gave good 
indications, but I completely agree with you again, that they are 
insufficient). We want to do end-user testing and hope to do it, but we 
- Ahmad and me - have very limited resources (including time), and this 
is a big task. In particular, I really can't drop all of my other 
research and do just this... Which is exactly why I seek help from you 
and the others in this (and other) forums... I don't think this is only 
our business, after all.

Best, Amir

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com