Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Spoofing phishing attacks, SSL and TrustBar

from [Amir Herzberg] Network Security [Permanent Link]
Subject: Spoofing phishing attacks, SSL and TrustBar
Date: Thu, 19 Aug 2004 10:56:41 +0200 
Ivan Krstic kindly copied me on a note he sent to this group recently,
on the topic `Growing Bad Practice with Login Forms`. Ivan noted that my
recent work with Ahmad Gbara is relevant to it. The ideas are in
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm; Ahmad is
developing an implementation for Mozilla which you can see/try at
http://TrustBar.MozDev.org - but this is not yet an `announcement` for
it since it is still in debugging (although, I use different versions of
it for a couple of months now and find it already very useful). If any
of you want to implement for other browsers (or to improve on Ahmad's
implementation), you are very welcome.

TrustBar is a tiny browser (currently Mozilla) extension to display
clear warning in insecure sites, and display the name of the site, or
preferably a logo or icon selected by the user or certified by an
authority trusted by the user (a CA or a friend or the Trademark
Office...). The warning is fixed in the top of every Mozilla window,
including helper app windows, so it cannot be spoofed by the site. There
is a lot more - see the paper and send us comments...

Most relevant to the discussion you had here (I looked a bit in your
archive) may be some screen shots which show how some of the largest web
sites (Microsoft Passport, Yahoo, Ebay, Amazon, Chase, TD Waterhouse)
prompt users for passwords etc. in unprotected pages (sometimes claiming
they are protected...), see in paper or directly:
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing_files/image005.gif

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Spoofing phishing attacks, SSL and TrustBar, Amir Herzberg <=
Previous by Date:  Re: Recent App Test, Blake Schneider
Next by Date:  RE: ArtistScope, Yvan Boily
Previous by Thread:  IE cookie menagment and CSRF, lazy
Next by Thread:  Design Patterns Re-Loaded ;-), Mark Curphey
Indexes:  [Date] [Thread] [Top] [All Lists]