ARP-spoofing defense
Topher Fischer
javert42 at cs.byu.edu
Wed Mar 14 11:29:20 MDT 2007
Levi Pearson wrote:
> Topher Fischer <javert42 at cs.byu.edu> writes:
>
>> Since I've started working on this, I haven't used a login form that
>> wasn't given to me over SSL. Luckily, everything I use has some sort of
>> secure login form somewhere on their site. I've tried to find one for
>> Zion's bank, and haven't been able to. Fortunately, I don't bank with them.
>>
>
> Zion's Bank uses one of those new-fangled multi-step logins. You
> enter your user id on the front page, and then you are shown a picture
> and asked a question (over a ssl connection) or, if you've previously
> done this step and got a cookie, you're shown a picture and asked to
> enter your password. Since only the user id is entered into the form
> in the non-ssl page, it should be safe from your particular attack.
>
> --Levi
>
Thanks for pointing that out. I was going to use them as an example in
a presentation. It does seem like some websites are figuring out that
serving username/password forms over an insecure connection is a bad
idea. Sometime over that past month, SmithBarney changed their home
page, so that now it immediately switches over to an SSL connection.
--
Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19 EFF5 2FC3 BE99 D123 6674
javert42 at cs.byu.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : http://plug.org/pipermail/plug/attachments/20070314/ae7ca147/signature.pgp
More information about the PLUG
mailing list