AmEx unprotected login site
Amir Herzberg
herzbea at macs.biu.ac.il
Thu Jun 9 11:33:31 EDT 2005
Perry E. Metzger wrote:
> When I go to the SSL protected page, I can look at the URL and the
> lock icon in the corner before typing in my password.
Bless you for being so careful. I, instead, look at the logo of the site
and of the CA as displayed in TrustBar. This is much easier, and
protects me from subtle changes in the URL e.g. homographic attacks,
from spoofed address bars, and from certificates granted without proper
validation, e.g. `domain validated` certificates. I would expect each
security expert to use TrustBar (or other appropriate browser or browser
extension - but check they don't send each URL to their server).
> When you type in
> your password BEFORE the SSL connection, by the time you realize that
> it went to the wrong place, it is way too late.
If you realize it at all. Phisher can easily make you unaware of this.
>
> I admit that not everyone will check the URL and the lock icon, but at
> least it is *possible* to train people to do the right thing on
> that. There is no way, effectively, to train people to be safe given
> the way that Amex is set up.
And no way you can protect your users by a proxy or a local TrustBar
installation, which, as argued above, can protect reasonably well even
naive or unsuspecting users.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
New: see my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list