TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...

[Amir Herzberg <herzbea () cs biu ac il>]

Web spoofing and phishing attacks are probably the largest current 
threat to sensitive and financial web sites. Yet, many web site 
designers and webmasters, as well as browser developers, fail to take 
the basic measures to prevent such attacks. In fact, some of the largest 
and most visible and sensitive web sites still ask users to enter 
passwords into unprotected web forms - making it trivial for attackers 
to emulate these pages and steal passwords. These include PayPal, chase, 
 Microsoft's passport, Yahoo!, eBay, TD Waterhouse,...  (I've checked 
most of them about a month ago and this was still the case; I've checked 
 PayPal today...)

What's wrong with these web site owners??? Is there any excuse?? Can't 
they fix this trivial bug _before_ hackers use this to steal lots of 
userid-passwords and money?? It is frightning to think of the potential 
result of such negligence!!

I noticed this weakness of major sites, while testingTrustBar. TrustBar 
is a tiny open-source anti spoofing/phising tool we develop as part of 
Ahmad Gbara's masters thesis; the research is in 
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm. 
TrustBar is currently available for Mozilla and FireFox browsers from 
http://TrustBar.mozdev.org. Try it...

TrustBar appears at the top of each window opened by the browser, and 
displays either a clear warning for insecure pages (useful to notice 
unprotected sites...), or the identity of the site and of the 
certificate authority which identified it - either by names or by logos 
(logos are much better for security, convenience and branding, but since 
current certificates do not include logos, currently TrustBar users have 
to select them manually (once) from the right-click mouse menu - 
actually, this is not so bad, from my experiance).

Best, Amir Herzberg