Interesting. -Tarun ,--------------- Forwarded message (begin) Subject: [OT] Netcraft: SSL's Credibility as Phishing Defense Is Tested From: Soh Kam Yung <[EMAIL PROTECTED]> Date: Wed, 10 Mar 2004 14:44:37 +0530 Newsgroup: gmane.user-groups.linux.singapore
Via Netcraft (http://news.netcraft.com/archives/2004/03/08/ssls_credibility_as_phishing_defense_is_tested.html): ===== SSL's Credibility as Phishing Defense Is Tested Internet "phishing" scams are incorporating the use of SSL certificates - both real and faked - in their efforts to trick users into divulging sensitive login information for financial accounts. This trend bears watching, as the presence of an SSL certficate was intially touted by consumer protection groups as a way to differentiate between scams and legitimate sites. [...] [S]ecurity professionals are focused on the limitations of SSL in the wake of a recent scam targeting Earthlink users [...] which employed an SSL certificate so the bogus page displayed the lock icon. In this case, the certificate appeared legit because it matched the URL of the fake page mimicking the Earthlink web site, but had no connection to Earthlink. Visitors would only detect the deception if they reviewed the certificate. [...] Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted (because 'plain text' doesn't use certificates). Keeping that in mind, the little lock icon may not even indicate an encrypted channel. The little lock only indicates an SSL connection." [...] A technique called visual spoofing offers another method to present a "lock" to visitors on a Scam phishing site. The technique alters the user interface of the web browser, substituting images for parts of the browser interface that would normally help users detect the fraud. Javascript links launch a new browser window without scrollbars, menubars, toolbars and the status bar - which allows the scam artists to substitute a fake status bar containing the URL for a legitimate site, along with an image of a "lock" indicating a secure SSL site. [...] ===== `--------------- Forwarded message (end) _______________________________________________ ilugd mailinglist -- [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/[EMAIL PROTECTED]/
