httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark McCulligh <>
Subject Re: [users@httpd] SSL / HTML question
Date Mon, 06 Feb 2006 21:36:58 GMT
Joshua Slive wrote:

>On 2/6/06, Mark McCulligh <> wrote:
>>This type of attack can be pulled off even if the login form is secured.
>>The attacker just has create a login page that looks like mine and get
>>the user to use it.  A lot of users won't realize they are on the wrong
>>website and the lock(secure) is missing.  We have all seen those Paypal
>>emails that try and get you to click on the link and login.
>Yes, it is easy to fool the average user.  The difference with the
>man-in-the-middle attack is that it would fool a relatively
>sophisticated user.  There is essentially no way to tell your info is
>about to be stolen unless you view-source and analyze the code.  For
>the other attacks you mention, a quick look at the URL bar will tell
>the story.  (But I agree that most users don't even bother to do
I think I now understanding the attack.  They are changing the response 
information when the login form is being sent to the user in plain 
text.  I first thought you where telling me the attacker was getting the 
user to go to a different URL and log in.


>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:

Mark McCulligh, Web Consultant
VisualTech Components

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message