[security] [dix] Re: Gathering requirements for in-browser OpenID support
James A. Donald
jamesd at echeque.com
Sat Oct 28 22:59:22 UTC 2006
--
Chris Drake wrote:
> Hi Ben,
>
> Apart from that blog where the blogger didn't realize
> that all banks immediately suspend accounts that get
> logged in to from Russia, Eastern Europe, Asia, and
> more generally - anyplace other than "normal" - and as
> such - can't ever work - no - phishing attacks are not
> MitM.
Google for Ben Laurie. You definitely should not argue
with him on this topic.
Many phishing attacks proxy the user's login to the real
web site, and thus are man in the middle attacks.
Many phishing attacks *are* the real web site - for
example funny links that link to the true web site, with
a whole bunch of parameters cooked up to take advantage
of bugs in the real web site to get the real web site to
provide information to the adversary in response to a
real login by a real customer to the real web site.
Phishers use a huge variety of attacks, for example
session fixation, and the very diverse bundle of attacks
called XSS. New and strange XSS attacks seem to appear
rather frequently.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
DoPlMqIW3pGrmIUZR7AWVtpg+oZZvtRIIIwLNyS2
4MxWWGQRkM1V8du0JLgqDXou2Rn+saGkAtJAyyqRd
More information about the general
mailing list