WebApp Sec mailing list archives
Re: Must we authenticate login forms (using SSL?)?
From: mike03051 () yahoo com
Date: 30 Sep 2005 00:25:12 -0000
Amir, Thank you for the response and clarification. As to whether I am a security expert, it depends on whether in your opinion a security expert is made through certification. If so, neither you nor I would qualify as neither of us appears to flaunt any security certifications. I gather from your response that we agree that HTTP and HTTPS pages are equally susceptible to both phishing and MITM attacks. An attacker can always use a banks name url, as for example, citibank.ny02110.biz will work. All the attacker needs to do is acquire a certificate for their site and they will be able to host an SSL site. Since we agree on this point of fact, I find the entire HOS listing pointless and misleading. It is your choice as to what you wish to do with it. Leave it up if you fell like it. I do believe that TrustBar offers many advantages for a user who chooses to download it. Whether it can read the certificate or not is probably not one of its major strengths as citibank.ny02110.biz is maybe just not enough information for a user. I do want to thank you for the insight into your tool and the explanation of the HOS reasoning. Mike
Current thread:
- Must we authenticate login forms (using SSL?)? Amir Herzberg (Sep 28)
- <Possible follow-ups>
- Re: Must we authenticate login forms (using SSL?)? info (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 29)
- Re: Must we authenticate login forms (using SSL?)? Peter Conrad (Sep 30)
- RE: Must we authenticate login forms (using SSL?)? Nathaniel S. H. Brown (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Rogan Dawes (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Eoin Keary (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 30)
- Re: Must we authenticate login forms (using SSL?)? Antoine Martin (Sep 29)