httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark McCulligh <mmccu...@visualtech.ca>
Subject Re: [users@httpd] SSL / HTML question
Date Mon, 06 Feb 2006 21:21:20 GMT
Joshua Slive wrote:

>On 2/6/06, Mark McCulligh <mmcculli@visualtech.ca> wrote:
>  
>
>>The client should alway be logging
>>in on their website for I hope they reallize if they where not on their
>>website.
>>    
>>
>
>I'm not sure if you understood or not, but my point was that a
>man-in-the-middle could make it look exactly like they were on their
>own site.  He could simply replace the target URL on the form to point
>to his own site.  (If you checked the URL-bar, you might see
>after-the-fact that you had gone to the wrong site.  But the data
>would already be stolen.)
>  
>
I think you misunderstood my reply.  I was just trying to explain my setup.

This type of attack can be pulled off even if the login form is secured. 
The attacker just has create a login page that looks like mine and get 
the user to use it.  A lot of users won't realize they are on the wrong 
website and the lock(secure) is missing.  We have all seen those Paypal 
emails that try and get you to click on the link and login.

Mark.

>Joshua.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>  
>


-- 
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
mmcculli@visualtech.ca
(519)318-7905


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message