Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Defending users of unprotected login pages with TrustBar 0.4.9.93

from [Amir Herzberg] Network Security [Permanent Link]
Subject: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93
Date: Tue, 20 Sep 2005 09:56:37 +0200
Few responses tried to correct me, and explained that these `unprotected login forms`, e.g. of Chase and BoA, are Ok since they encrypt before sending the password. For example, Mike said:

>>As I suspected, the hall-of-shame posted on Amir's site may be a bit >>misguided since these pages do in-fact submit HTTPS (SSL) logins

Thanks - but you are wrong. Using SSL/TLS to send the password is insufficient to ensure security against Man In The Middle (MITM) adversary. A MITM attacker can send a fake login form to begin with.

This is a well known problem, which was discussed on this list. I explain it in details in the FAQ page of the Hall of Shame.

Indeed, I mentioned that we added to TrustBar two mechanisms to defend users of sites using unprotected login forms... The first solution simply redirects them to a protected alternative page, when we are aware of it. Such protected alternative alternative login pages exist for most banks who have unprotected login, e.g. Chase, Wachovia, US Bank, PayPal, BoA).

The other solution simply establishes that the login form was not modified - hence, preventing the MITM attack, while leaving the web page exactly as it was. This would work for sites that do not have a protected login at all - as long as their (unprotected) login page does not change. It would work better, if these pages were at least digitally signed...
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: Defending users of unprotected login pages with TrustBar 0.4.9.93, Amir Herzberg <=
Previous by Date:  Re: HTML/Java Protection, Antoine Martin
Next by Date:  Re: HTML/Java Protection, Roshen Chandran
Previous by Thread:  HTML/Java Protection, confusionvalley
Next by Thread:  Chroot jails, Steve.Cummings
Indexes:  [Date] [Thread] [Top] [All Lists]