[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] more on SSL/false security
-----Original Message----- From: Strata R Chalup [mailto:strata@virtual.net] Sent: Friday, August 10, 2007 6:14 AM To: dave@farber.net Subject: more on SSL/false security http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.ht ml is a great writeup on two-phase authentication systems and man in the middle attacks, using a real exploit on Bank of America's SiteKey(tm) system as an example. Note that a proxyed MitM attack can simply exploit the user's own security questions to bypass the 'secure' vendor cookie that supposedly prevents such attacks. Note that the institutions using these systems often don't consider the impact of their own policies on site improvement. I had to spend some of my bank's tech support money to prove to myself that I hadn't been phished when they suddenly, without any notice to customers, "improved" the online UI. Log in, see a different interface that resembles the old one but is clearly different. The truly sad thing is that their tech support mentioned that they hadn't gotten many calls about this-- in a tone that implied "Why are you even asking?" O Brave New World, that has such *cough* whatever in it. best regards, Strata R Chalup CEO, founder Virtual.Net Inc *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* * Artist, Gardener, Engineer, Slacker, Bodhisattva * * Strategic IT Consulting | strata@virtual.net * *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* -------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC