AmEx unprotected login site

Amir Herzberg herzbea at macs.biu.ac.il
Thu Jun 9 11:33:31 EDT 2005


Perry E. Metzger wrote:

> When I go to the SSL protected page, I can look at the URL and the
> lock icon in the corner before typing in my password. 

Bless you for being so careful. I, instead, look at the logo of the site 
  and of the CA as displayed in TrustBar. This is much easier, and 
protects me from subtle changes in the URL e.g. homographic attacks, 
from spoofed address bars, and from certificates granted without proper 
validation, e.g. `domain validated` certificates. I would expect each 
security expert to use TrustBar (or other appropriate browser or browser 
extension - but check they don't send each URL to their server).

> When you type in
> your password BEFORE the SSL connection, by the time you realize that
> it went to the wrong place, it is way too late.
If you realize it at all. Phisher can easily make you unaware of this.
> 
> I admit that not everyone will check the URL and the lock icon, but at
> least it is *possible* to train people to do the right thing on
> that. There is no way, effectively, to train people to be safe given
> the way that Amex is set up.
And no way you can protect your users by a proxy or a local TrustBar 
installation, which, as argued above, can protect reasonably well even 
naive or unsuspecting users.
-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list