httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark McCulligh <mmccu...@visualtech.ca>
Subject Re: [users@httpd] SSL / HTML question
Date Mon, 06 Feb 2006 21:36:58 GMT
Joshua Slive wrote:

>On 2/6/06, Mark McCulligh <mmcculli@visualtech.ca> wrote:
>  
>
>>This type of attack can be pulled off even if the login form is secured.
>>The attacker just has create a login page that looks like mine and get
>>the user to use it.  A lot of users won't realize they are on the wrong
>>website and the lock(secure) is missing.  We have all seen those Paypal
>>emails that try and get you to click on the link and login.
>>    
>>
>
>Yes, it is easy to fool the average user.  The difference with the
>man-in-the-middle attack is that it would fool a relatively
>sophisticated user.  There is essentially no way to tell your info is
>about to be stolen unless you view-source and analyze the code.  For
>the other attacks you mention, a quick look at the URL bar will tell
>the story.  (But I agree that most users don't even bother to do
>that.)
>  
>
I think I now understanding the attack.  They are changing the response 
information when the login form is being sent to the user in plain 
text.  I first thought you where telling me the attacker was getting the 
user to go to a different URL and log in.

Mark.

>Joshua.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>  
>


-- 
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
mmcculli@visualtech.ca
(519)318-7905


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message