AmEx unprotected login site (was encrypted tapes, was Re: Papersabout"Algorithm hiding" ?)

[Amir Herzberg]

Ken, you are correct (see below). And in fact, if the page came from the 
right source (as validated by SSL and a secure browser extension such as 
TrustBar), I don't think there is any need to validate the source (which 
is impractical even for the geekest geek). After all, if a site is so 
clueless as to send you corrupted scripts, it may as well publish your 
password directly...

Best, Amir Herzberg

Ken Ballou wrote:
  > Unless I misunderstand, the problem is that I can not determine where my
> login information will go without examining the source of the login
> page.  Sure, the form might be posted to a server using https.  But,
> without examining the source of the login page, I won't be able to look
> at the certificate for the site to which my credentials have been sent
> until it's too late.
> 
> It's still the case that if I retrieve the original login form via
> https, I have to examine the page source to see to which server the form
> will be posted.  But I can examine the certificate of the site from
> which I got the form originally to determine whether this is a phishing
> attack.  If the login form itself can be shown to have come from an AmEx
> server, I'm probably more comfortable trusting that my credentials are
> going to the right server.
> 
> Do I completely misunderstand?
> 
> 					- Ken
> 
> .
> 

-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com