Re: once more, with feeling.
On Mon, Sep 08, 2008 at 04:16:46PM +0100, Darren J Moffat wrote: | | I believe the only way both of these highly dubious deployment practices | will be stamped out is when the browsers stop allowing users to see such | web pages. So that there becomes a directly attributable financial | impact to the sites that deploy in that way. | | As much as I like Firefox & Safari [ the only two browsers I use now ] | this has to be led by Microsoft with Internet Explorer since that will | have the biggest impact, given IE 8 is in beta this seems like a perfect | opportunity to get this in as a change for the next version. Not speaking for my employer here. Most browser vendors try to display pages as best they can. Both end users and businesses get very upset at browser makers who push security improvements by breaking existing practices. If such changes were to happen, then they should either be emergency (seems unlikely, given how long this has been around) or planned and communicated. Adding something high impact after beta 2 doesn't seem like good communication. What makes now the perfect time to address an issue which has been present for quite soem time? Adam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: once more, with feeling.
Darren Lasko wrote: Arshad Noor wrote: "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines" Isn't this vulnerability already in the Top 10, specifically "A7 - Broken Authentication and Session Management" ( http://www.owasp.org/index.php/Top_10_2007-A7)? I was just informed of this 10 minutes ago, privately. Not sure how I missed this the last time I read the document (perhaps because I was focusing on remediating an application related to two other vulnerabilities on a project), but the bank examiners also apparently missed this for Wachovia. While login pages are not required to be PCI-DSS compliant (since they generally do not deal with credit card numbers, it has been my impression that many companies are adopting OWASP guidelines for all their web-projects. Perhaps its taking time for some more than others. Arshad Noor StrongAuth, Inc. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: once more, with feeling.
Arshad Noor wrote: > A more optimal solution is to have this vulnerability accepted by > the OWASP community as a "Top 10" security vulnerability; it will > have the appropriate intended effect since mitigation to the OWASP > defined vulnerabilities is required in PCI-DSS: > > "6.5 Develop all web applications based on secure coding guidelines > such as the Open Web Application Security Project guidelines" > Isn't this vulnerability already in the Top 10, specifically "A7 - Broken Authentication and Session Management" ( http://www.owasp.org/index.php/Top_10_2007-A7)? >From the "Protection" section for A7: "Do not allow the login process to start from an unencrypted page. Always start the login process from a second, encrypted page with a fresh or new session token to prevent credential or session stealing, phishing attacks and session fixation attacks." Best regards, Darren Lasko Principal Engineer Advanced Development Group, Storage Products Fujitsu Computer Products of America - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: once more, with feeling.
Paul Hoffman wrote: A less extreme solution would be to make the warning the user sees on a mixed-content page more insulting to the bank. "This page contains both encrypted and non-encrypted content and is inherently insecure. The owner of this web site has clearly made a very poor security decision in showing this page to you. It is likely that other pages on this site also have similarly poor security. Knowing this, do you wish to continue anyway?" A more optimal solution is to have this vulnerability accepted by the OWASP community as a "Top 10" security vulnerability; it will have the appropriate intended effect since mitigation to the OWASP defined vulnerabilities is required in PCI-DSS: "6.5 Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines" https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html http://www.owasp.org/index.php/Top_10_2007 Arshad Noor StrongAuth, Inc. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: once more, with feeling.
At 4:16 PM +0100 9/8/08, Darren J Moffat wrote: Hopefully this is interesting enough to get forwarded on... Ditto. :-) Warnings aren't enough in this context [ whey already exists ] the only thing that will work is stopping the page being seen - replacing it with a clearly worded explanation with *no* way to pass through and render the page (okay maybe with a debug build of the browser but not in the shipped product). It depends on how we think change can be achieved. Until now, people designing pages using bad security practices balanced their laziness with the fact that their content would be displayed anyway so whatever. You are proposing moving to the other extreme. Given how easy your solution would be for browser vendors to implement, we have to assume that they have considered it and rejected it. A less extreme solution would be to make the warning the user sees on a mixed-content page more insulting to the bank. "This page contains both encrypted and non-encrypted content and is inherently insecure. The owner of this web site has clearly made a very poor security decision in showing this page to you. It is likely that other pages on this site also have similarly poor security. Knowing this, do you wish to continue anyway?" --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: once more, with feeling.
Perry E. Metzger wrote: I was shocked that several people posted in response to Peter Gutmann's note about Wachovia, asking (I paraphrase): "What is the problem here? Wachovia's front page is only http protected, but the login information is posted with https! Surely this is just fine, isn't it?" [snip] (I won't be forwarding followups to this unless they are unusually interesting.) Hopefully this is interesting enough to get forwarded on... Sadly this practice is all too common, and often goes hand in hand with the other "cardinal sin" of https that of mixed http/https pages. I believe the only way both of these highly dubious deployment practices will be stamped out is when the browsers stop allowing users to see such web pages. So that there becomes a directly attributable financial impact to the sites that deploy in that way. As much as I like Firefox & Safari [ the only two browsers I use now ] this has to be led by Microsoft with Internet Explorer since that will have the biggest impact, given IE 8 is in beta this seems like a perfect opportunity to get this in as a change for the next version. Warnings aren't enough in this context [ whey already exists ] the only thing that will work is stopping the page being seen - replacing it with a clearly worded explanation with *no* way to pass through and render the page (okay maybe with a debug build of the browser but not in the shipped product). -- Darren J Moffat - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: More US bank silliness
> "Peter" == Peter Gutmann <[EMAIL PROTECTED]> writes: Peter> On a semi-related topic, it'd be interesting to get some Peter> discussion about FF3 removing the FF2 SSL indicators of the Peter> padlock and (more visibly) the background colour-change for Peter> the URL bar when SSL is active and replacing it with a Peter> spoof-friendly indicator that's part of the favicon, Peter> i.e. part of the attacker-controlled content. The URL bar Peter> colouring was by far the most visible security indicator Peter> that any web browser had, the giant leap backwards of Peter> moving to a near-invisible blue border around the favicon Peter> does nothing to indicate security and is trivially spoofed Peter> by putting a blue border around the favicon. There's a Peter> bugzilla bug filed against it, Peter> https://bugzilla.mozilla.org/show_bug.cgi?id=430790 (with Peter> inevitable dups, Peter, list, the W3C W Web Security Context working group is in the final week of a public last call on their user interface guidelines. These guidelines take a lookboth at the balance between EV-certs and at user interface for security indicators. Comments need to be received by September 15. The draft is at http://www.w3.org/TR/2008/WD-wsc-ui-20080724/ and my take is at http://www.painless-security.com/blog/2008/08/w3sc-lc/ . - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
once more, with feeling.
I was shocked that several people posted in response to Peter Gutmann's note about Wachovia, asking (I paraphrase): "What is the problem here? Wachovia's front page is only http protected, but the login information is posted with https! Surely this is just fine, isn't it?" I'm not going to explain why this is wrong. It should be obvious. If it isn't obvious to you, you should try thinking like an attacker for a few moments. If it still isn't obvious to you why this is very bad, read the list archives. (I won't be forwarding followups to this unless they are unusually interesting.) Perry -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
No Legitimate Expectation of Privacy for Data on Office Computer, Court Says
An employee has no reasonable expectation of privacy in personal files stored on a company-owned computer and an employer's consent makes a police search lawful, an appeals court says in a ruling of first impression in New Jersey. "We conclude ... that neither the law nor society recognize as legitimate defendant's subjective expectation of privacy in a workplace computer he used to commit a crime," Judge Marie Simonelli wrote for the three-judge panel in State v. M.A., A-4922-06. Read More: http://www.law.com/jsp/article.jsp?id=1202424228730 saqib http://doctrina.wordpress.com/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Quiet in the list...
Peter Gutmann wrote: IanG <[EMAIL PROTECTED]> writes: 4. Skype. Doesn't do email, but aside from that minor character flaw, it cracked everything else. It's the best example of what it should look like. The UI still leaves quite a lot to be desired. Try sitting a non-geek user in front of a fresh Skype install and see how long it takes them to figure out how to make a phonecall to (say) a Skype user name supplied via email. I've seen times of 15+ minutes to make the first call (OK, so I treat neighbours and family as UI guinea pigs :-). Skype still has a lot of fundamental usability flaws like the inability to remember a password (requiring it to be manually re-entered each time it's run unless you choose to start Skype on system boot) that make it a less-than-perfect example of usable security. I don't know what OS you are running Skype on but for me on MacOS X I never have to enter my Skype password because it is saved in the MacOS X keyring and Skype isn't set to start at system boot (user login really) for my account. -- Darren J Moffat - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: More US bank silliness
Hi, This reminds me the most weird SSL related error message I have ever seen and which is there since ages: https://www.fbi.gov Beside that the certificate is wrong :-) regards, Sebastian On Mon, Sep 08, 2008 at 01:29:34AM +1200, Peter Gutmann wrote: > In the ongoing comedy of errors that is US online banking "security" I've just > run into another one that's good for a giggle: Go to www.wachovia.com and, [...] --- ~~ perl self.pl ~~ $_='print"\$_=\47$_\47;eval"';eval ~~ [EMAIL PROTECTED] - SuSE Security Team ~~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]