Amir Herzberg wrote:
Hi guys, I'm afraid I've been disconnected from this group for a while.
Ian reminded me this is an important forum, so here are some updates.
1. I keep a `Hall of shame` of unprotected login pages, at
http://AmirHerzberg.com/shame.html; I've recently updated it
substantially (it now includes e.g. PayPal, Chase, Microsoft's Passport,
CitiGroup's SmithBarney, Bank of America, Amex,...). Most of these sites
do use SSL to encrypt the password, but not to protect the login form
itself against spoofing/phishing, which is imho the most common threat.
I'll love to hear your opinions and of course to add additional sites
you find (I'll add `contributors` section - have few already to add
there). In particular: I informed all these companies ahead of posting,
but most ignored or failed to act (the few that did fix are of course
not listed). Do you think I should not be publishing this info?
2. I've seen here comment by Ian and others on the TrustBar, NetCraft
bar, etc. Please understand that TrustBar is a research project and not
trying to compete with a commercial bar... however, this does not
necessarily mean a commercial bar is better. We considered doing
database lookups, and in fact got free access from Comodo to allow us to
do so, but decided not to do it from TrustBar exactly for privacy (and
also performance) considerations. IMHO, we can achieve all the security
goals without such an intrusive and wasteful DB access (of course this
access may be the whole point for NetCraft, maybe...).
We received a lot of positive responses on TrustBar, from users and also
from browser developers, and we believe it already made some positive
impact. We work now on new versions. The first, 0.32, will be released
towards end of June, and the main change there is improved UI - making
TrustBar less intrusive and making it easier to rename sites.
good for you guys.
just don't expect me to use it.
no 3rd party products run in my browser.
no flash,
no javascript,
no adobe reader.
nothing.
no extras at all.
they are nothing but security risks, offering no real gain for the risk.
no website is trusted.
no ca is trusted.
those are the rules.
no firefox on my computer, to much of the infernal exploiter look/feel
to it.
to much reliance on java/javascript.
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
