Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.9

from [mike03051] Network Security [Permanent Link]
Subject: Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93
Date: 20 Sep 2005 19:40:03 -0000 

Amir,

Let?s differentiate the issues a bit for clarity. Specifically, let?s 
differentiate your Hall of Shame list from TrustBar features and functions.

We should all be able to agree on statements of fact: Both http: and https: 
(SSL) sites are subject to MITM exploits. 

I wonder then what is the justification for placing some sites in your Hall of 
Shame listing. It is not unreasonable to view your pages and come to the 
conclusion that HOS entries are there because they allow access to logon forms 
using an HTTP url. 

If that is the case, then I take exception to the prima facia claims on your 
site that these are Hall of Shame. They all submit secure web forms, like any 
other secure web site in the world. Your HOS identified sites are no more (or 
no less) susceptible to MITM than any other site in the world, either.

Now as for TrustBar. I have not downloaded or tested TrustBar, so I cannot 
vouch for how well it works, but from the web site it detects HTTPS connections 
and attempts to match the certificate with the url. This helps to read a 
certificate. One nice touch is the nice logo display for visual verification.

Now a question: does it work if the certificate is valid but says something 
like citibank.asecur-e.com? Do your company logo displays from a db or are they 
downloaded from the site?

Mike
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Chroot jails, Mamading Ceesay
Next by Date:  Re: HTML/Java Protection, Yousef Syed
Previous by Thread:  Re: Re: Defending users of unprotected login pages with TrustBar 0.4.9.93, Peter Conrad
Next by Thread:  HTML/Java Protection, confusionvalley
Indexes:  [Date] [Thread] [Top] [All Lists]