lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040715171929.X17279@ubzr.zsa.bet>
From: measl at mfn.org (J.A. Terranson)
Subject: New Attack on Secure Browsing (fwd)

FYI:

Opera 7 generic: Works;
IE 6.0.2800.1106 sp1;Q837009;Q832894;Q831167;Q823353

-- 
Yours,

J.A. Terranson
sysadmin@....org

  "...justice is a duty towards those whom you love and those whom you do
  not.  And people's rights will not be harmed if the opponent speaks out
  about them."      Osama Bin Laden
	- - -

  "There aught to be limits to freedom!"    George Bush
	- - -

Which one scares you more?


---------- Forwarded message ----------
Date: Thu, 15 Jul 2004 17:12:30 +0100
From: Ian Grigg <iang@...temics.com>
To: Metzdowd Crypto <cryptography@...zdowd.com>
Subject: New Attack on Secure Browsing

(((( Financial Cryptography Update: New Attack on Secure Browsing )))))

                              July 15, 2004


------------------------------------------------------------------------

http://www.financialcryptography.com/mt/archives/000179.html



------------------------------------------------------------------------

Congratulations go to PGP Inc - who was it, guys, don't be shy this
time? - for discovering a new way to futz with secure browsing.

Click on http://www.pgp.com/ and you will see an SSL-protected page
with that cute little padlock next to domain name.  And they managed
that over HTTP, as well!  (This may not be seen in IE version 5 which
doesn't load the padlock unless you add it to favourites, or some
such.)

Whoops!  That padlock is in the wrong place, but who's going to notice?
  It looks pretty bona fide to me, and you know, for half the browsers I
use, I often can't find the darn thing anyway.	This is so good, I just
had to add one to my SSL page (http://iang.org/ssl/ ).	I feel so much
safer now, and it's cheaper than the ones that those snake oil vendors
sell :-)

What does this mean?  It's a bit of a laugh, is all, maybe.  But it
could fool some users, and as Mozilla Foundation recently stated, the
goal is to protect those that don't know how to protect themselves.  Us
techies may laugh, but we'll be laughing on the other side when some
phisher tricks users with the little favicon.

It all puts more pressure on the oh-so-long overdue project to bring
the "secure" back into "secure browsing."  Microsoft have befuddled the
already next-to-invisible security model even further with their
favicon invention, and getting it back under control should really be a
priority.

Putting the CA logo on the chrome now seems inspired - clearly the
padlock is useless.  See countless rants [1] listing the 4 steps needed
and also a new draft paper from Amir Herzberg and Ahmad Gbara [2]
exploring the use of logos on the chrome.

[1] SSL considered harmful
http://iang.org/ssl/

[2]  Protecting (even) Naïve Web Users,
or: Preventing Spoofing and Establishing Credentials of Web Sites
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ