WebApp Sec mailing list archives

RE: Solutions to phishing and to site spoofing

From: Michael Silk <michaelsilk () gmail com>
Date: Wed, 1 Dec 2004 10:08:52 +1100

Hi Amir,

        I read paper (btw: did anyone else find the text was overlapping in
some places ?) but I had a bit of difficulty understand exactly what
TrustBar does.
        
        Correct me if I'm wrong, but does it simply make the "Secure"
indicators of a site more obvious? And provide a way to put a logo
outside the web page?
        
        If so, it seems to be the same old story of education when
implementing it ... i.e. that users need to be educated to care enough
to look at it and consider it before typing in a password.
        
        Again, correct me if I'm wrong but wouldn't it also display "WARNING:
THIS PAGE IS NOT PROTECTED" for every single non-ssl site? This, IMO,
would make that warning almost useless as users would learn to ignore
it.

-- Michael


-----Original Message-----
From: Amir Herzberg [mailto:herzbea () cs biu ac il] 
Sent: Tuesday, 30 November 2004 6:27 PM
To: webappsec () securityfocus com
Subject: Solutions to phishing and to site spoofing

Re Michael's proposal
(http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.html): 
    I agree with others that it is not reasonable to build security on
(insecure) e-mail. In particular I agree with Rogan: if you are
willing to have users install private/public key pair, with public key
known to server, then you can authenticate the user using SSL/TLS
client authentication - no need for passwords at all, very convenient
(once the keys are installed as I wrote above).

Finally, I also agree with Mark Burnett, who said:

Protecting authentication credentials is also a problem, but the  >

solution to phishing is more one of authenticating the site rather  >
than authenticating the user. First solving the issue of  >
authenticating the site makes it easier to solve the problem of  >
authenticating the user.

Let me add that site authentication is also important when clients
cannot be authenticated, e.g. by a web store prompting for credit card
or other personal details, or a source of sensitive information, e.g.
software download or financial information. Site authentication is the
basic function of SSL/TLS, but I believe it is currently poorly
implemented, since the UI is not visible enough, and since browsers
trust many certificate authorities that users are not even aware of.
We have some initial survey results which support this strongly.

I will appreciate your feedback on TrustBar, our proposal (and
implementation) of a browser add-on (hopefully to be integrated with
future browsers), to address these concerns. You can download TrustBar
from http://TrustBar.MozDev.org for Mozilla and FireFox; the open
source code should also be there soon (or e-mail me to get it). Or
read about it and  about the secure UI principles and research
(including survey) behind it at
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm.
I am trying to arrange an IE implementation (any takers?)

Best,

Amir Herzberg
http://AmirHerzberg.com
Associate Prof., Computer Science Dept
Bar Ilan University

Current thread:

Solutions to phishing and to site spoofing Amir Herzberg (Nov 30)
- <Possible follow-ups>
- RE: Solutions to phishing and to site spoofing Michael Silk (Dec 01)
  - Message not available
    - Re: Solutions to phishing and to site spoofing Michael Silk (Dec 02)