A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
Amir Herzberg
herzbea at macs.biu.ac.il
Thu Feb 10 02:28:34 EST 2005
Adam Shostack wrote:
> On Wed, Feb 09, 2005 at 07:41:36PM +0200, Amir Herzberg wrote:
> | Want to see a simple, working method to spoof sites, fooling
> | Mozilla/FireFox/... , even with an SSL certificate and `lock`?
> |
> | http://www.shmoo.com/idn/
> |
> | See also:
> |
> | http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3866526512
> |
> | Want to protect your Mozilla/FireFox from such attacks? Install our
> | TrustBar: http://TrustBar.Mozdev.org
> | (this was the first time that I had a real reason to click the `I don't
> | trust this authority` button...)
> |
> | Opinions?
>
> Just because you can demonstrate that you're pre-emptively and
> pro-actively blocking attacks that the beat the current system doesn't
> mean ....
>
> I can't go on. My head would explode.
No need to. I quite agree and certainly didn't claim that this (the fact
TrustBar helps against this attack) is proof of TrustBar's value; after
all I've been arguing for its value way before... It is just that this
attack exactly highlights our claims about the need to improve
visibility and in particular to make the CA a `brand` known to end user.
>
> Have you run end-user testing to demonstrate the user-acceptability of
> Trustbar?
So far, I'm afraid we've done only `dry` surveys (which gave good
indications, but I completely agree with you again, that they are
insufficient). We want to do end-user testing and hope to do it, but we
- Ahmad and me - have very limited resources (including time), and this
is a big task. In particular, I really can't drop all of my other
research and do just this... Which is exactly why I seek help from you
and the others in this (and other) forums... I don't think this is only
our business, after all.
Best, Amir
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list