WebApp Sec mailing list archives
RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ...
From: "Yvan G.J. Boily" <yboily () seccuris com>
Date: Mon, 25 Oct 2004 23:31:33 -0500
The point Mr. Wall was trying to make is that using SSL to "protect" a login page prior to the actual (HTTP Verb) which submits the credentials to the web server does nothing to prevent a user from falling victim to a spoofed web page. Your trustbar tool is essentially just another way of putting information in front of the users face, however it does nothing that isn't already available. Since the "trustbar" is not part of the default distribution of a browser it will not do much to further awareness, or protect a user. This is more so the case because a user who has the understanding to install the software will generally not be caught by a phishing scam or fooled by a spoofed server. The idea of adding adding SSL to the actual page as a means to protect the user promotes a "security oriented process" which in essence, provides 0 (zero) additional security. As a slight aside, it seems to me that you have misunderstood the intention of the "padlock" icon beside the Chase login. When I went to www.chase.com and saw the padlock, my first inclination was to click it. Did I do this because it makes sense to me? No, my first inclination is to inspect both the "action" field of the form, and the SSL certificate. I did this because I asked my girlfriend to tell me if it was secure or not, and she said if you click on the padlock, it will usually tell you. You know, she is not exactly a computer n00b, but neither is she extremely aware of computers and security either. I would rate her just a touch above the average user, skewed in the time we have been dating because of exposure to my paranoia* (*her word, not mine). The reason this is important is because you claim the "lock" icon is misleading. I say that the lock icon is more intuitive than a "trust bar" or the SSL warnings. People using e-commerce sites have been indoctrinated to "look for the padlock" and "click on it for more information". It is my opinion that you are likely doing more damage than good by spreading fear, uncertainty, and doubt about a widely used, and commonly accepted practice to which your proposed solution does essentially nothing about. I apologize if this seems unduly harsh, but I think that you may have lost sight of the intended audience during your academic pursuits. Regards, Yvan Ps. The final statement in your message -- Here you are wrong; the problem is at the mail paypal site so many users - even not naive - may reach this site. Bears clarification.. If you mean the email message is the issue, you are in fact, correct. Email clients and web browsers should provide a built in means to assess and modify information being sent in a HTTP request or in a link (including reverse DNS of the IP address) to provide a higher level of awareness. Again, this will only be valuable if the users of said feature are reasonably aware as well. -----Original Message----- From: Amir Herzberg [mailto:herzbea () cs biu ac il] Sent: Monday, October 25, 2004 2:13 AM To: webappsec () securityfocus com; David Wall @ Yozons, Inc. Subject: Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... "David Wall @ Yozons, Inc." responded to me:
and most visible and sensitive web sites still ask users to enter passwords into unprotected web forms - making it trivial for attackers to emulate these pages and steal passwords. These include PayPal, chase, Microsoft's passport, Yahoo!, eBay, TD Waterhouse,... (I've checked most of them about a month ago and this was still the case; I've checked PayPal today...)Your tool may be nice, but Paypal does redirect to an SSL site if you type in paypal.com or www.paypal.com and if you click the "log in" link.
PayPal redirects to SSL site once you hit the `log in` link, but it also asks users for userid and password directly at its (unprotected) homepage, http://www.paypal.com. The same holds for Chase, Yahoo! etc (see screen shots and links from the paper, http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm). Some of them (e.g. Chase) are especially misleading as they display a padlock next to the `login` button, which users may interpret as `this is protected`. But of course these pages are not protected at all so they are trivial to spoof (and collect the passwords).
Of course, this helps, but since most web users are not savvy and don't use your tool, such a "fix" rarely helps.
Exactly my point. Conclusions: 1. Web users should be encouraged to use TrustBar (or browsers, or add-ins, providing equivalent functionality). 2. Browser developers should incorporate TrustBar (or equivalent mechanisms). This should be easy, esp. since our project is open-source (http://trustbar.mozdev.org) and as far as I know patent-free. 3. Web site designers should be more sensitive to this threat... It is amazing that such major sites have such obvious and trivial to fix vulnerabilities, and noticed I've informed them all; the only positive response I got was some discount vouchers from TD Waterhouse - but really I would have preferred, if they also acted on my trivial recommendation...
After all, someone who is naive enough to follow such paypal links probably doesn't know anything about keeping themselves safe online, which is why they are targeted.
Here you are wrong; the problem is at the mail paypal site so many users - even not naive - may reach this site. Best, Amir Herzberg http://AmirHerzberg.com Associate Professor, Computer science department, Bar Ilan University
Current thread:
- Re: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Amir Herzberg (Oct 25)
- RE: TrustBar and insecure sites of PayPal, MS Passport, Yahoo!, Chase, ... Yvan G.J. Boily (Oct 28)