AmEx unprotected login site (was encrypted tapes, was Re: Papersabout"Algorithm hiding" ?)
Amir Herzberg
herzbea at macs.biu.ac.il
Thu Jun 9 02:57:49 EDT 2005
Ken, you are correct (see below). And in fact, if the page came from the
right source (as validated by SSL and a secure browser extension such as
TrustBar), I don't think there is any need to validate the source (which
is impractical even for the geekest geek). After all, if a site is so
clueless as to send you corrupted scripts, it may as well publish your
password directly...
Best, Amir Herzberg
Ken Ballou wrote:
> Unless I misunderstand, the problem is that I can not determine where my
> login information will go without examining the source of the login
> page. Sure, the form might be posted to a server using https. But,
> without examining the source of the login page, I won't be able to look
> at the certificate for the site to which my credentials have been sent
> until it's too late.
>
> It's still the case that if I retrieve the original login form via
> https, I have to examine the page source to see to which server the form
> will be posted. But I can examine the certificate of the site from
> which I got the form originally to determine whether this is a phishing
> attack. If the login form itself can be shown to have come from an AmEx
> server, I'm probably more comfortable trusting that my credentials are
> going to the right server.
>
> Do I completely misunderstand?
>
> - Ken
>
> .
>
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list