Yvan G.J. Boily wrote:
The point Mr. Wall was trying to make is that using SSL to "protect" a login
page prior to the actual (HTTP Verb) which submits the credentials to the
web server does nothing to prevent a user from falling victim to a spoofed
web page.
That's incorrect. By protecting the login form, we prevent a rogue page
which appears as the original, but sends the password to the attacker
instead of sending it (securely) to the correct site.
Your trustbar tool is essentially just another way of putting information in
front of the users face, however it does nothing that isn't already
available.
This is mostly correct; TrustBar is a secure user interface mechanism.
Our research (and common sense) shows that most users do not validate
the URL and the certificate, but do notice our `unprotected page`
warning vs. the correct logo of the site.
TrustBar also protects from the more advanced (academical?) spoofing
attacks, that present fake location bar, padlock etc. But I think that's
less important in practice.
Since the "trustbar" is not part of the default distribution of
a browser it will not do much to further awareness, or protect a user. This
is more so the case because a user who has the understanding to install the
software will generally not be caught by a phishing scam or fooled by a
spoofed server.
Well... TrustBar is just a research project; we definitely hope the
ideas in it will be adopted in future releases of browsers. Also, I
think that in many cases, it could be installed on machines of naive
users (e.g. by the employer, organization, ISP, etc.). Finally, I
actually believe that even security savvy users will find it much more
convenient and secure to use TrustBar (or comparable technology)
compared to checking manually whenever they use a sensitive site... I
definitely feel much better about doing my e-banking now.
<skip>
The reason this is important is because you claim the "lock" icon is
misleading. I say that the lock icon is more intuitive than a "trust bar"
or the SSL warnings. People using e-commerce sites have been indoctrinated
to "look for the padlock" and "click on it for more information".
That's an interesting possibility... I didn't get this feedback in the
surveys we did so far, but I'll try to check specifically for it in the
future. BTW, I tried doing it on the Chase site and still didn't find
any way to reach a protected login page there... is there?
It is my opinion that you are likely doing more damage than good by
spreading fear, uncertainty, and doubt about a widely used, and commonly
accepted practice to which your proposed solution does essentially nothing
about.
Sorry, that's not my intention. In all your arguments, I didn't see an
answer to my simple question: why don't they protect the login page???
Considering that there is a trivial fix to the problem, and that I've
pointed it out to all these sites before informing others, I can't
really see where you find me wrong.
I apologize if this seems unduly harsh, but I think that you may have lost
sight of the intended audience during
your academic pursuits.
No offense taken.
Best, Amir Herzberg
http://AmirHerzberg.com
Associate Professor, Computer science department, Bar Ilan University
