John Gilmore wrote:
Perhaps the idea of "automatically" redirecting people to alternative
pages goes a bit too far:
Of course, users can turn this off for one page or for all, but that's
not answering yet John's comments below - I respond following them...
Also: I am not crazy about this solution either, but I think the current
situation, where very large banks insist on providing unprotected login
pages, is even worse. I tried convincing them, and I must say few did
change, e.g. Wells Fargo I think. I'll be happy to hear of better
solutions (or do you think the current state is better?).
1. TrustBar will automatically download from our own server,
periodically, a list of all of the unprotected login sites, including
any alternate protected login pages we are aware of. By default,
whenever a user accesses one of these unprotected pages, she will be
automatically redirected to the alternate, protected login page.
How convenient! So if I could hack your server, I could get all
TrustBar users' accesses -- to any predefined set of pages on the
Internet -- to be redirected to scam pages.
What if the list is signed by one or more authorities that users are
willing to trust to this matter?
Or just have the list in a trusted site - after all, if someone breaks
Google, they can redirect much more than by attacking our server...
A redirect to an "untrustworthy" page is just as easy as a redirect to a
"trustworthy" page. The question is who you trust.
We are not redirecting to a trustworthy site (e.g., your bank is
insecure, try that one instead...). We simply redirect to an SSL
protected page of the same entity (bank) if we know one.
BTW, TrustBar is an open-source project, so if some of you want to
provide it to your customers, possibly customized (branded) etc., there
is no licensing required.
Also providing a handy platform for slightly modified versions, that will
take their cues from a less "trustworthy" list of redirects.
Are you now against open source in general? After all, for this attack,
Mozilla would be a much better target... In fact, since `everybody` uses
Windows, any stupid program can redirect users to fake sites - and do
much worse...
Anyway - thanks for the feedback.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
