ARP-spoofing defense

Topher Fischer javert42 at cs.byu.edu
Wed Mar 14 11:29:20 MDT 2007


Levi Pearson wrote:
> Topher Fischer <javert42 at cs.byu.edu> writes:
>   
>> Since I've started working on this, I haven't used a login form that
>> wasn't given to me over SSL.  Luckily, everything I use has some sort of
>> secure login form somewhere on their site.  I've tried to find one for
>> Zion's bank, and haven't been able to.  Fortunately, I don't bank with them.
>>     
>
> Zion's Bank uses one of those new-fangled multi-step logins.  You
> enter your user id on the front page, and then you are shown a picture
> and asked a question (over a ssl connection) or, if you've previously
> done this step and got a cookie, you're shown a picture and asked to
> enter your password.  Since only the user id is entered into the form
> in the non-ssl page, it should be safe from your particular attack.
>
>                 --Levi
>   
Thanks for pointing that out.  I was going to use them as an example in
a presentation.  It does seem like some websites are figuring out that
serving  username/password forms over an insecure connection is a bad
idea.  Sometime over that past month, SmithBarney changed their home
page, so that now it immediately switches over to an SSL connection.

-- 
Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19  EFF5 2FC3 BE99 D123 6674
javert42 at cs.byu.edu


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20070314/ae7ca147/attachment.bin 


More information about the PLUG mailing list