Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Must we authenticate login forms (using SSL?)?

from [mike03051] Network Security [Permanent Link]
Subject: Re: Must we authenticate login forms (using SSL?)?
Date: 30 Sep 2005 00:25:12 -0000 
Amir,

Thank you for the response and clarification. As to whether I am a security 
expert, it depends on whether in your opinion a security expert is made through 
certification. If so, neither you nor I would qualify as neither of us appears 
to flaunt any security certifications.

I gather from your response that we agree that HTTP and HTTPS pages are equally 
susceptible to both phishing and MITM attacks. An attacker can always use a 
bank?s name url, as for example, citibank.ny02110.biz will work. All the 
attacker needs to do is acquire a certificate for their site and they will be 
able to host an SSL site.

Since we agree on this point of fact, I find the entire HOS listing pointless 
and misleading. It is your choice as to what you wish to do with it. Leave it 
up if you fell like it.

I do believe that TrustBar offers many advantages for a user who chooses to 
download it. Whether it can read the certificate or not is probably not one of 
its major strengths as citibank.ny02110.biz is maybe just not enough 
information for a user.

I do want to thank you for the insight into your tool and the explanation of 
the HOS reasoning.

Mike
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Must we authenticate login forms (using SSL?)?, Antoine Martin
Next by Date:  RE: Must we authenticate login forms (using SSL?)?, Nathaniel S. H. Brown
Previous by Thread:  Re: Must we authenticate login forms (using SSL?)?, Antoine Martin
Next by Thread:  REPOST: "Exploiting the XmlHttpRequest object in IE" - paper by Amit Klein, Amit Klein (AKsecurity)
Indexes:  [Date] [Thread] [Top] [All Lists]