[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] New Attack on Secure Browsing (fwd)
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] New Attack on Secure Browsing (fwd)
- From: "Brad Griffin" <b.griffin@xxxxxxxxxx>
- Date: Fri, 16 Jul 2004 10:39:11 +1000
Please forgive me for my tone, but this is just plain puerile, ridiculous and
profoundly FUD mongering! It's a favicon for the gods sakes!
Granted there will be a minority of people who may be misled by a fake padlock
in some convoluted phishing scam. However, can someone explain exactly what
needs to be fully disclosed about this non-issue please?
Oh, how about using an favicon of a Police cap. That'll really fukkem!
-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of J.A. Terranson
Sent: Friday, July 16, 2004 8:22 AM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] New Attack on Secure Browsing (fwd)
*snipped*
---------- Forwarded message ----------
Date: Thu, 15 Jul 2004 17:12:30 +0100
From: Ian Grigg <iang@xxxxxxxxxxxxx>
To: Metzdowd Crypto <cryptography@xxxxxxxxxxxx>
Subject: New Attack on Secure Browsing
(((( Financial Cryptography Update: New Attack on Secure Browsing )))))
July 15, 2004
------------------------------------------------------------------------
http://www.financialcryptography.com/mt/archives/000179.html
------------------------------------------------------------------------
Congratulations go to PGP Inc - who was it, guys, don't be shy this time? - for
discovering a new way to futz with secure browsing.
Click on http://www.pgp.com/ and you will see an SSL-protected page with that
cute little padlock next to domain name. And they managed that over HTTP, as
well! (This may not be seen in IE version 5 which doesn't load the padlock
unless you add it to favourites, or some
such.)
Whoops! That padlock is in the wrong place, but who's going to notice?
It looks pretty bona fide to me, and you know, for half the browsers I
use, I often can't find the darn thing anyway. This is so good, I just
had to add one to my SSL page (http://iang.org/ssl/ ). I feel so much
safer now, and it's cheaper than the ones that those snake oil vendors sell :-)
What does this mean? It's a bit of a laugh, is all, maybe. But it could fool
some users, and as Mozilla Foundation recently stated, the goal is to protect
those that don't know how to protect themselves. Us techies may laugh, but
we'll be laughing on the other side when some phisher tricks users with the
little favicon.
It all puts more pressure on the oh-so-long overdue project to bring the
"secure" back into "secure browsing." Microsoft have befuddled the already
next-to-invisible security model even further with their favicon invention, and
getting it back under control should really be a priority.
Putting the CA logo on the chrome now seems inspired - clearly the padlock is
useless. See countless rants [1] listing the 4 steps needed and also a new
draft paper from Amir Herzberg and Ahmad Gbara [2] exploring the use of logos
on the chrome.
[1] SSL considered harmful
http://iang.org/ssl/
[2] Protecting (even) Naïve Web Users,
or: Preventing Spoofing and Establishing Credentials of Web Sites
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html