ARP-spoofing defense

Topher Fischer javert42 at
Wed Mar 14 11:29:20 MDT 2007

Levi Pearson wrote:
> Topher Fischer <javert42 at> writes:
>> Since I've started working on this, I haven't used a login form that
>> wasn't given to me over SSL.  Luckily, everything I use has some sort of
>> secure login form somewhere on their site.  I've tried to find one for
>> Zion's bank, and haven't been able to.  Fortunately, I don't bank with them.
> Zion's Bank uses one of those new-fangled multi-step logins.  You
> enter your user id on the front page, and then you are shown a picture
> and asked a question (over a ssl connection) or, if you've previously
> done this step and got a cookie, you're shown a picture and asked to
> enter your password.  Since only the user id is entered into the form
> in the non-ssl page, it should be safe from your particular attack.
>                 --Levi
Thanks for pointing that out.  I was going to use them as an example in
a presentation.  It does seem like some websites are figuring out that
serving  username/password forms over an insecure connection is a bad
idea.  Sometime over that past month, SmithBarney changed their home
page, so that now it immediately switches over to an SSL connection.

Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19  EFF5 2FC3 BE99 D123 6674
javert42 at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : 

More information about the PLUG mailing list