encrypted tapes

Perry E. Metzger perry at piermont.com
Wed Jun 8 10:01:54 EDT 2005 

Ben Laurie <ben at algroup.co.uk> writes:
> Perry E. Metzger wrote:
>> Have a look, for example, at http://www.americanexpress.com/
>> which encourages users to type in their credentials, in the clear,
>> into a form that came from lord knows where and sends the information
>> lord knows where. Spoof the site, and who would notice?
>> Every company should be telling its users never to type in their
>> credentials on a web page downloaded in the clear, but American
>> Express and lots of other companies train their users to get raped,
>> and why do they do it? Not because they made some high level decision
>> to screw their users. Not because they can't afford to do things
>> right. It happens because some idiot web designer thought it was a
>> nice look, and their security people are too ignorant or too powerless
>> to stop it, that's why.
>
> Why is it bad for the page to be downloaded clear? What matters is the
> destination is encrypted, surely?

Why is it a problem? Because the http post method you're relying on
could have come from anyone -- you're just assuming that it posts to
Amex's site.

How often do users hit ^U and read the source on the front page of a
site like this? Never, for practical purposes. Unless you're looking
at the code every time, you have no idea where your form data gets
posted. It could be a server in Moldova instead of Manhattan.

You have no idea where the page came from, and thus you have no idea
where the post method will send your data. You assume it came from
American Express, but it may very well have come from people
attempting to crack your account who used DNS cache contamination or
other techniques to get you to talk to their server. Even plain old
man-in-the-middle interception and modification would work for this,
though it is harder to do unless, say, the victim is using the
wireless at Starbucks or an airport or what have you, in which case it
is trivial.


Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list