Gervase Markham wrote:
Tyler Close wrote:
The user could mistype the URL. To take a recent example, it appears
Amir, a security researcher, mistakenly typed in citybank.com, instead
of citibank.com. Similar things happen with all sorts of domain names.
Admit of guilt.
...
I certainly agree that educating users to bookmark valuable sites, and
use the bookmarks, is a useful step.
Thanks for the education! The problem is really with my typing speed,
which makes it faster for me to type than to use bookmarks for many
sites. Do you consider various ways to make typing URLs harder, as an
educational measure?
If the attacker takes over my DNS server, or gets me to connect to the
wrong DNS server, he can direct me to whatever site he likes.
Obviously, this kind of pharming attack also works against bookmarks.
Not over SSL - you'd get warning dialogs.
Well, really, Gerv, not from you...
1. Most users, as you know well, ignore these. Can't blame them, really.
2. Many users will use the bookmark to an unprotected page, and login by
following another link, in which case, pharming works fine, no
warnings... Again I'm setting a bad personal example, since I do this
for_all_ my e-banking sites. And, educating me again won't help, since I
don't always have a choice for various reasons (e.g. one of them is one
of the `unprotected login` pages I list in my `Hall of shame`, I noticed
only when using TrustBar, and found a workaround but still need to go
thru the unprotected page).
3. And of course we depend again on a CA doing its job. I'm sure most
do. But I like to know whom I trust, e.g. in case one of them gets
compromised of simply controlled by the Mob... No easy fix for that in
current browser (without TrustBar).
Best, Amir Herzberg
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
