Re: Bank Of America - sign on process - how is this secure?

From: srt@nospam.unt.edu
Date: 11/26/02

• Next message: Mel Ruttan: "Re: which encryption software for XP?"
• Previous message: Barry Margolin: "Re: Computer GUID"
• In reply to: Sam Simpson: "Re: Bank Of America - sign on process - how is this secure?"
• Next in thread: Sam Simpson: "Re: Bank Of America - sign on process - how is this secure?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: srt@nospam.unt.edu
Date: Tue, 26 Nov 2002 16:57:41 +0000 (UTC)

In comp.security.misc Sam Simpson <sam@samsimpson.com> wrote:
> "Curious Owl" <Whoot@spam.nyet> wrote in message
> news:3DE2F440.DC1C40AE@spam.nyet...
>> All corrections and elaborations appreciated!
>>
>> I would think that this is only somewhat secure. Indeed if you are sure
>> that the login is sent via https, then you are OK. However if you do not
>> check the http source each time you attempt to login, then since the
>> page requesting your login is sent to you unencrypted, it could possibly
>> be modified.

> If you assume that the web server can be hacked, then you could also assume
> that (even with the form sitting on an SSL encrypted page) an adversary
> could change the "action" to a different site...

The point here is that you *don't* have to "assume that the web server
can be hacked" in order for this to be insecure. A web proxy could be
hacked. A router could be modified to change the page. Routing
tables could be modified to send requests to/from a different system.
DNS entries could be faked to point the web site name to an entirely
different IP address. As you can see, there are lots of attacks on
this that don't touch the web server at all....

-- 
Steve Tate - srt[At]cs.unt.edu | "A computer lets you make more mistakes faster
Dept. of Computer Sciences     | than any invention in human history with the
University of North Texas      | possible exceptions of handguns and tequila."
Denton, TX  76201              |         -- Mitch Ratliffe, April 1992

---

• Next message: Mel Ruttan: "Re: which encryption software for XP?"
• Previous message: Barry Margolin: "Re: Computer GUID"
• In reply to: Sam Simpson: "Re: Bank Of America - sign on process - how is this secure?"
• Next in thread: Sam Simpson: "Re: Bank Of America - sign on process - how is this secure?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: WebBrowser ... With this type of security you may be able to access the ... > If the login page is a Username / Password textbox with a Submit or Login ... > send requests to a web server and get some type of response / data back. ... Sign the petition to Microsoft. ... (microsoft.public.vb.controls) Re: edit and/or copy/paste access with prudent security also ... If you login as the web server - local administrator, ... check NTFS permission again. ... >> Basically you need to use an account from the web server. ... (microsoft.public.inetserver.iis.security) Re: Cannot Login ... My web server (running Debian ... I cannot login to the ... removing the "x" from the line for root and rebooted again. ... (Debian-User) Re: Login Loop ... The security settings are Integrated Windows Authentication & Basic ... Re-appearing login prompts are never issues with the web server ... and I do not recommend wasting time with indirect methods. ... (microsoft.public.inetserver.iis.security) Re: NT AUTORITY/ANONIMOYS LOGIN events in Event Viewer ... If you see an error message that indicates that the login has failed for NT ... suitably configured accounts) or Basic authentication at the Web server. ... (microsoft.public.platformsdk.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2002-11