Defending users of unprotected login pages with TrustBar 0.4.9.93

Amir Herzberg herzbea at macs.biu.ac.il
Tue Sep 20 06:03:07 EDT 2005


David Wagner wrote:
> Amir Herzberg writes:
> 
>>However, quite a few of these sites invoke SSL/TLS only _after_ user has
>>typed in her user name and pw, and clicked `submit`. This allows a MITM
>>adversary to send a modified login page to the user, which sends the pw
>>to the attacker (rather than encrypting it and sending to the site). See
>>below link to a `Hall of Shame (HoS)` listing such sites.
>>
>>There are few things we can do about this. We can try to convince these
>>sites to use SSL/TLS _before_ asking for userid and pw; I tried, and few
>>fixed, but most did not.
> 
> But this isn't enough.  The only way for a user to be secure against such
> attacks is to type in a https:-style URL into the address bar directly, or
> to load a https:-style URL from a bookmark.  

Why? What's your threat model?

 From the follow on, it seems you are concerned that even if the site's 
homepage say http://chase.com would redirect to https://chase.com, like 
etrade for instance do, this can be redirected by a MITM attacker. 
Similarly, if the homepage only contains a link to the https: protected 
login page, like most banks do e.g. Citibank, then again a MITM may 
redirect this to his own page.

The user may not notice this change in address. In fact, with current 
browser UI, we know - by common sense and experiments - that almost all 
users will fail to notice such attacks. But our early experimental data 
with TrustBar seem to show that with improved UI, most users may be able 
to detect such spoofing attempts.

Moreover, a MITM attack may be done even if the user types https://... A 
MITM may reply to the SSL connection itself (e.g. via DNS spoofing). 
True, the browser expects a certificate for say chase.com and now will 
get a cert for a different site, so the user gets a warning message; 
however, this is the sort of messages that users often click-away 
without reading and definitely without understanding.

Furthermore, the attacker may even get a cert for the original address 
from one of the less-trustworthy CAs supported by the browser, in which 
case there is not even a warning - with current browser UI. TrustBar 
provides indicators which seem to allow most or at least many naive 
users detect such attacks (involving a non-trustworthy CA).

 > Users have to always remember
> to type in https://www.bank.com; they must never use http://www.bank.com,
> or they will be insecure.  Training users to follow this discipline is not
> a trivial task.
Impossible task, imho.
> 
> I'm not sure it is fair to blame this solely on the web sites
....
> changes to web browsers and/or web servers.  So, a Hall of Shame seems
> a little over the top to me, since there is no obvious way that the
> web site could fix this on its own.

Web sites should use SSL to protect their login forms (and redirect from 
http if user tries to use it). This does leave the possibility of users 
being redirected to other sites, but at least the site has done the best 
it can. Indeed, very few non-US banks expose their customers in this way.
> 
> TrustBar's solution to this conundrum is a nice one.  I like it.
> But it does require changing the web browser.
Thanks, and yes, I agree, this requires browser change, I don't think we 
can avoid this. Users can currently use our extension, and we hope that 
as more and more do so, browers makers will add such features.
> 
> One thing that web sites could do to help is to always make
> https://www.foo.com work just as well as http://www.foo.com, and
> then browser plug-ins could simply translate http://www.foo.com ->
> https://www.foo.com for all sensitive sites.  Of course, web site
> operators may be reluctant to take this step on performance grounds.
Correct.

-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list