lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <0d1901c6561d$e1514d80$2101a8c0@othello>
Date: Sun Apr  2 07:23:08 2006
From: niceman at att.net (Mike Nice)
Subject: [HV-PAPER] Anti-Phishing Tips You
	ShouldNotFollow

>>    Tip #4 works precisely because it defeats pharming, MITM and 
>> type-alike.
>> The Cert box is nearly impossible to spoof because you would have to 
>> spoof
>> the actual bank's certificate.  Any error and your browser will pop up a
>> warning dialog that the host name on the SSL cert doesn't match the name 
>> of
>> the host.    That's only assuming that some corrupt CA hasn't issued a
>> second SSL cert for the real bank host name.
>>
>
>You must not have visited Codefish.  The spoof wrote a https:  web
>address in the address bar, and wrote the bottom of the browser to
>look just like an SSL connection, complete with a lock. When the lock
>was clicked, it popped up something that looked just like the cert
>box.  Very well done indeed.

   I have not seen Codefish, but Tip #4 does not rely at all on the user's 
visual acuity except during the initial bookmarking.   It is possible that 
the Codefish technique could work if the Pharming was active during the 
bookmarking when checking the certificate credentials.   This is possible 
but unlikely.

   But later, when the bookmark points to the bank's SSL page, the browser 
would still pop up an error that the certificate name does not match during 
the SSL negotiation phase.   All the user has to know is 'pick the bank page 
from favorites, then don't accept any popup warnings'.

>I'm continually amazed by the belief that the cert box is sacrosanct.
>If the underlying box is compromised, all bets are off.

   This is a good point - I wouldn't place any trust in your average 
E-commerce site.    Hopefully a bank would pay more attention to security. 
The thinking is that if you as a user have secured everything at the client 
end, there is less risk of a drained account.  Presumably in the US, the 
bank assets are insured by the government if the bank's system is 
compromised.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ