[PLUG] wifi security
Jason Martin
nsxfreddy at gmail.com
Fri Feb 27 04:19:01 UTC 2009
On Wed, Feb 25, 2009 at 4:16 PM, Rich Shepard <rshepard at appl-ecosys.com> wrote:
> On Wed, 25 Feb 2009, Dan Young wrote:
>
>> Some (many?) people don't pay attention to which part of the browser
>> chrome that little padlock is supposed to show up in:
>> http://isc.sans.org/diary.html?storyid=5908
>
> I've had several experiences (e.g., trying to register online for
> conferences) where the site says it's a secure link, but I don't see the
> color of the URL and status line change from white to yellow, and I don't
> see the locked padlock in both places.
>
> When I call the organization/business they try to tell me it really is
> secure, but I tell them that if I cannot see the visual signs of an ssl
> connection I don't trust it.
Some sites use SSL encrypted *forms* just for submission. So you end
up with a non-SSL page that you type your info into, and when you hit
the submit button the info is sent to a SSL URL. Theoretically this
would be secure, but there are security problems with this which was
recently discussed at BlackHat (see http://www.doxpara.com/?p=1269 and
https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf).
Mainly you can downgrade the connection, and also you can inject
javascript into the non-SSL page and sniff the data from the form.
Cheers,
Jason
More information about the PLUG
mailing list