From: Amir Herzberg (herzbeacs.biu.ac.il)
Date: Thu Oct 21 2004 - 03:40:25 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Web spoofing and phishing attacks are probably the largest current
threat to sensitive and financial web sites. Yet, many web site
designers and webmasters, as well as browser developers, fail to take
the basic measures to prevent such attacks. In fact, some of the largest
and most visible and sensitive web sites still ask users to enter
passwords into unprotected web forms - making it trivial for attackers
to emulate these pages and steal passwords. These include PayPal, chase,
  Microsoft's passport, Yahoo!, eBay, TD Waterhouse,... (I've checked
most of them about a month ago and this was still the case; I've checked
  PayPal today...)

What's wrong with these web site owners??? Is there any excuse?? Can't
they fix this trivial bug _before_ hackers use this to steal lots of
userid-passwords and money?? It is frightning to think of the potential
result of such negligence!!

I noticed this weakness of major sites, while testingTrustBar. TrustBar
is a tiny open-source anti spoofing/phising tool we develop as part of
Ahmad Gbara's masters thesis; the research is in
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm.
TrustBar is currently available for Mozilla and FireFox browsers from
http://TrustBar.mozdev.org. Try it...

TrustBar appears at the top of each window opened by the browser, and
displays either a clear warning for insecure pages (useful to notice
unprotected sites...), or the identity of the site and of the
certificate authority which identified it - either by names or by logos
(logos are much better for security, convenience and branding, but since
current certificates do not include logos, currently TrustBar users have
to select them manually (once) from the right-click mouse menu -
actually, this is not so bad, from my experiance).

Best, Amir Herzberg

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]