AmEx unprotected login site

Amir Herzberg herzbea at macs.biu.ac.il
Thu Jun 9 10:18:28 EDT 2005


Ivars Suba responded to me:

> 1. This doesn't have any effect on non-SSL-protected sites (e.g.
> AmEx,... see `Hall of Shame`). And of course assumes users will notice 
> the use of non-SSL-site...
> 
> Vooooowww.. I didn't know that AmEx is not ssl protected ;))
> 
> Before user credentials are passed to site, site certificate are sent to 
> client browser, then certificate are accepted/denied, ssl tunnel  is 
> established/access denied:

As is clearly stated in messages you referred to, we all know Amex's 
site invoke SSL to encrypt the password. The problem is that a fake Amex 
site would not; and the user has no way to distinguish. Essentially, 
Amex site is secure against the (unlikely) eavesdropper, but not against 
the (much more likely) spoofer or the stronger (but possible) MITM.
> 
> Is this site ssl proteceted? Shame Hall isn't so "shamy" ;)
So, my claims in Hall of Shame remain. Or do you want to protect the 
Amex process? This will be interesting.
...
> Keep CA whitelist in SSL termination Proxy, and deny all others 
> (including sef-signed site certs).
You could of course do this filtering without also terminating the 
tunnel at your proxy. I agree that such filtering (without breaking the 
tunnel) is an advisable thing to do.
....
> 80% of users don't know what is the certificate. Imho, much better is  
> trust this task to SSL termination proxy... 
I agree most users don't know what's a CA doing and what's a PK cert. 
But my intuition - and research - show that they can learn very quickly 
if we use simple words instead of jargon. In TrustBar, we display the 
name/logo of the site, followed by the words `identified by` and the 
name/logo of the CA. Our (limited) testing shows users understand this 
very well. And of course this does not prevent you from also blocking in 
a proxy any CAs you don't trust. Let the user decide among these you 
can't rule out.
-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list