[EMAIL PROTECTED] wrote:
On Sun, 18 Mar 2007, Von Fugal wrote:
Unfortunately, with Zions, at least as far as I've seen, the username
that they use is your SSN.
You may not have looked far enough. I do my dad's online banking
(bill paying) with Zions when he's away, and his banking
On Mon, 2007-03-19 at 08:34 -0600, Brandon Stout wrote:
I avoid banks - go Credit Unions! Bank is, after all, a 4 letter
word... Most banks and credit unions use http for the front page
and
other public pages. Encryption increases bandwidth usage, so for
large banks this makes
UCCU does redirect to https when just viewing the main page. Kudus UCCU
Hit www.uccu.com and you will be redirected to secure.
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
UCCU does redirect to https when just viewing the main page. Kudus
UCCU
Hit www.uccu.com and you will be redirected to secure.
What's the point in wasting the cycles to encrypt the home and other
public pages?
Shouldn't you just need…
https://pb.uccu.com/UCCU/login.aspx
…and deeper
On 3/19/07, Wade Preston Shearer [EMAIL PROTECTED] wrote:
What's the point in wasting the cycles to encrypt the home and other
public pages?
Shouldn't you just need…
https://pb.uccu.com/UCCU/login.aspx
…and deeper secure?
If the UCCU main page was not secure, then the same ARP trick could
If the UCCU main page was not secure, then the same ARP trick could be
used to display a fake UCCU page which redirects to a non-secure rogue
page to steal login credentials. So I for one, like the fact that the
whole site is encrypted.
My credit union (America First) uses a two-step, account #
Thus said [EMAIL PROTECTED] on Sun, 18 Mar 2007 22:00:46 MDT:
You may not have looked far enough. I do my dad's online banking (bill
paying) with Zions when he's away, and his banking username has
nothing to do with his SSN.
And you may not have been dealing with Zions long
* Levi Pearson [Wed, 14 Mar 2007 at 11:22 -0600]
quote
Topher Fischer [EMAIL PROTECTED] writes:
Since I've started working on this, I haven't used a login form that
wasn't given to me over SSL. Luckily, everything I use has some sort of
secure login form somewhere on their site. I've
On Sun, 18 Mar 2007, Von Fugal wrote:
Unfortunately, with Zions, at least as far as I've seen, the username
that they use is your SSN.
You may not have looked far enough. I do my dad's online banking
(bill paying) with Zions when he's away, and his banking username has
nothing to do with his
On Thu, 15 Mar 2007 at 09:59 -0600, Levi Pearson wrote:
Andy Bradford [EMAIL PROTECTED] writes:
How about you just put a known_hosts with all your host fingerprints in
it on your laptop before you connect from offsite? Hopefully offsite
doesn't mean connecting from public computer
On Fri, 2007-03-16 at 15:27 -0600, Hans Fugal wrote:
I _know_ I lack the paranoia. I mean seriously, unless you are a secret
agent nobody is sitting outside your home (in the case of wireless) or
tapped into your network poised to do an ARP spoof.
Security is important, but not important
Andy Bradford [EMAIL PROTECTED] writes:
How about you just put a known_hosts with all your host fingerprints in
it on your laptop before you connect from offsite? Hopefully offsite
doesn't mean connecting from public computer systems... All it takes is
one PC that you think can be
I'm doing a little research project that uses ARP-spoofing to perform an
attack. It's kind of unnerving to see how easy it is to perform a
man-in-the-middle attack with ARP-spoofing, and mess with somebody's
network traffic.
My first question is, does anybody here actively do anything to protect
On Wednesday 14 March 2007 10:52, Topher Fischer wrote:
I'm doing a little research project that uses ARP-spoofing to perform an
attack. It's kind of unnerving to see how easy it is to perform a
man-in-the-middle attack with ARP-spoofing, and mess with somebody's
network traffic.
My first
On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote:
This is an optimization. Your host does this with the idea that if you do
decide to talk to one of these machines from which it has already seen ARP
traffic, it can skip that step.
As for man-in-the middle, playing with ARP can
On Wed, 2007-03-14 at 10:52 -0600, Topher Fischer wrote:
Also, in my mind, the solution to this problem seems too easy. I must
be missing something. Why do machines even pay attention to ARP replies
that they did not solicit? Why isn't ARP just implemented so that when
a request is sent
On Wed, 2007-03-14 at 11:09 -0600, Michael L Torrie wrote:
On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote:
As for man-in-the middle, playing with ARP can cause disruption of
services,
and could intercept insecure protocols. Which is why for critical data,
ssl
or other
Michael L Torrie wrote:
On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote:
This is an optimization. Your host does this with the idea that if you do
decide to talk to one of these machines from which it has already seen ARP
traffic, it can skip that step.
As for man-in-the
On Wed, 2007-03-14 at 11:22 -0600, Levi Pearson wrote:
Topher Fischer [EMAIL PROTECTED] writes:
Since I've started working on this, I haven't used a login form that
wasn't given to me over SSL. Luckily, everything I use has some sort of
secure login form somewhere on their site. I've
Levi Pearson wrote:
Topher Fischer [EMAIL PROTECTED] writes:
Since I've started working on this, I haven't used a login form that
wasn't given to me over SSL. Luckily, everything I use has some sort of
secure login form somewhere on their site. I've tried to find one for
Zion's bank,
Corey Edwards [EMAIL PROTECTED] writes:
It's vulnerable to a non-ssl attack. Swap out the https login URL for
one of your own devising. Then simply proxy all the https info to the
user over your spoofed http connection. It would work against anybody
who doesn't verify the cute little lock
Michael L Torrie wrote:
Additionally this is why SSL uses certificates that should be verified
to prove that the host is who it says it is. Also ssh key fingerprints
should always be verified. How often do we ssh into a box and just
automatically type yes to the fingerprint authorization?
On Wednesday 14 March 2007 13:53, Nicholas Leippe wrote:
On Wednesday 14 March 2007 11:09, Michael L Torrie wrote:
On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote:
This is an optimization. Your host does this with the idea that if you
do decide to talk to one of these machines
Michael L Torrie wrote:
On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote:
This is an optimization. Your host does this with the idea that if you do
decide to talk to one of these machines from which it has already seen ARP
traffic, it can skip that step.
As for man-in-the
On Wed, 2007-03-14 at 14:12 -0600, Topher Fischer wrote:
Well, this makes me wonder. Is there a standard way to configure ssh to
use certificates, and for clients to maintain a list of trusted CAs and
trusted certificates?
Well the theory of SSL certificates is that if you trust the root
Thus said Nicholas Leippe on Wed, 14 Mar 2007 12:53:10 PDT:
I've always wondered about that. I search the man pages, and looked at
the host key/files, but never figured out how to find the host's
fingerprint to do this. I've thought about recording all of our
server's
26 matches
Mail list logo
