Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Should login pages be protected by SSL?

from [Amir Herzberg] Network Security [Permanent Link]
Subject: Re: Should login pages be protected by SSL?
Date: Wed, 22 Jun 2005 08:54:38 +0200 
Saqib Ali wrote:
>>open-source research project, we develop TrustBar, currently for FireFox
>>and soon also for IE; I'll appreciate your opinion. Download at
>>https://addons.mozilla.org/extensions/moreinfo.php?id=478.
>
>
> I use Trustbar on my win and linux box. it is a nice a little utility.
> But it does NOT provide any greater functionality that the little
> "lock" icon that comes with mozilla by default. I am not really
> interested in who signed the website's certficate. I am more concerend
> with where the website is hosted and who owns the IP netblock.

Saqib, I'm glad you like TrustBar (and btw, we are testing and will soon ship new version, with much improved UI - the biggest and justified complaint - and also improved functionality). However, I'm puzzled by your comment, which is two sided:

1. You think TrustBar doesn't improve your security. I disagree. TrustBar improves protection dramatically:

1.1 For naive users (Ok, not you!), by making it much clearer when a site is unprotected, and making the identity of (protected) sites clear - by logo or at least name (possibly chosen by user, aka `petname`); current SSL just displays the URL which naive users don't dig at all (and I have usability data to support this common sense...).

1.2 But also for expert users (you!), which know to read URLs and check for padlock etc... since it exposes the identity of the CA (again by name or logo). There are many CAs `trusted` by browsers and I doubt you trust all of them or that you should... In particular some CAs offer `domain validated only` certificates that do not validate the corporate identity, just the domain - and automtically, allowing getting certificate for misleading domain names such as paypaI.com and other homographic (e.g. IDN) attacks.

2. You think knowing the owner of the IP address/block will help you. But this does not help against MITM attacks...


--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com

New: see my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame.html

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Should login pages be protected by SSL?, Amir Herzberg
Next by Date:  Re: Can HTTP Request Smuggling be blocked by Web Application Firewalls?, Andrew van der Stock
Previous by Thread:  Re: Should login pages be protected by SSL?, Ian Rogers
Next by Thread:  Re: Should login pages be protected by SSL?, Achim Hoffmann
Indexes:  [Date] [Thread] [Top] [All Lists]