Amir Herzberg wrote:
Ian Grigg wrote:
http://www.financialcryptography.com/mt/archives/000179.html
Yes, the FavIcon can become a real favorite with conmen and phishers...
But I think the real use would not be to present SSL icon where it is
not really used; as I found, many `serious` web sites such as Yahoo!,
Chase, Microsoft's Passport, Ebay,... (see fig 5 of
http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm) already
ask for passwords in a non-SSL-protected page.
...
The solution: allow a FavIcon only if it is properly approved by the
user or someone trusted by the user (a peer, a-la-PGP, or a trustworthy
Logo Certifying Authority). I.e., the FavIcon should be a part of the
Trusted Logo and Credentials Area (see paper for details). While I must
admit we didn't do this yet in our prototype, adding this functionality
should not be too difficult (and we'll probably do it soon).
I think the real emphasis of the favicon attack is just
that it highlights how weak the padlock has become as
a security issue. I don't see spoofers or phishers
adopting it in any seriousness, because they quite happily
ignore the padlock in most cases anyway - as do their
victims.
So as a point of clarification - I don't think there is
much point in Mozilla or anyone putting any effort into
protecting the favicon. But there is a lot of point in
re-thinking the entire browser security display.
(As per your paper, as per the numourous discussions.)
iang
PS: BTW, FTR, it seems that IE is not vulnerable to this,
as an IE user has to add the site as a "favourite." Oddly,
this matches more or less what you are proposing in the
paper! I don't see any evidence that Microsoft were
thinking that at the time, but presenting that line of
thinking in your paper may bear thinking about?
_______________________________________________
Mozilla-security mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-security
