Re: Defending users of unprotected login pages with TrustBar 0.4.9.93

Amir Herzberg wrote:
> I quite agree, that this idea is more problematic. However, we are still 
> giving it a try, since some sites simply do not offer a protected login 
> at all, or at least we haven't found one, e.g. Washington Mutual (WaMu) 
> <http://wamu.com/securityandprivacy/security.asp#Phishing>, 

Really?
https://login.personal.wamu.com/logon/logon.asp?dd=1

> Zions 
> <http://www.zionsbank.com/home.jsp>. 

How about:
https://banking.zionsbank.com/zfnb/logon/user

But, if you do find some without secure login forms, I think the right 
approach here is to shame them into submission. There's only so much you 
can do to compensate for their inadequacies.

BTW, I found the above two by viewing the HTML source and messing around 
accessing some of the URLs or domains in the form without any parameters.

> Also note, that while this idea is 
> problematic without any help from the servers, the idea could work quite 
> well to authenticate pages if the server cooperates and provides e.g. 
> signature on the page; 

How could you prevent compromise of the signature if the page was 
compromised?

> The last-modified in HTTP header is not secure so we can't rely on it...
> But yes, I agree this is not so user friendly. Well, we are doing 
> research, so we can do some imperfect stuff (ok even lousy stuff), maybe 
> we or others see how to improve it, and we can always remove it. 

Sure - absolutely. This is supposed to be constructive criticism :-)

Gerv