- From: Sheth Raxit <raxitsheth2000@yahoo.co.in>
- Date: Thu, 1 Mar 2007 08:15:57 -0800 (PST)
- To: public-usable-authentication@w3.org
--- Sheth Raxit <raxitsheth2000@yahoo.co.in> wrote:
Date: Thu, 1 Mar 2007 07:42:09 -0800 (PST)
From: Sheth Raxit <raxitsheth2000@yahoo.co.in>
Subject: Qry : Link to show is different then Link
will Open -- source of Insecurity ?
To: public-wsc-wg@w3.org
Dear Web Security group,
this is a quick e-mail sent to you after I got one
Fake E-mail,From address is of account@somebank.com
(not exactly this,but actual address,)
1. from E-mail id is of one bank,
(It was not really came from the bank's mail server
but Fake HTML E-mail.)
and I think its for phishing etc, one of the best
tools of hacker is HTML E-mail,
2.It was showing one link, having simillar url as
of
the actual website of the bank.
3.when i clicked the url, it was showing me simillar
GUI as of original bank's login page, asking me my
account number, password etc.
but luckily i checked address bar of browser, it was
different url, and i didn't give anything!
What I think
1. one can create html page (and html e-mail also)
in
which when content is rendered enduser show the link
to http://www.example1.com and when one will click
the
link, it will open
http://www.hackerpage.example1.com
2. Example
===== a.html start====
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<div class="header">
<p> Some Good Content by which Enduser can have
Trust to the E-mail/page/instruction is really of
bank
</p>
<p>Great offer @ Ex1 bank <a
href="http://www.example1bank.hackerpage.com">
http://www.example1.com </a></p>
</div>
</body>
</html>
=====a.html end===
3. End user will view the link of the actual bank
(www.example1.com) but when clicking the link it
will
open different site/page.
(Assume end user is not knowing, the link he/she
shows
and the link will open will be different, and this
thing can be done by simple html 'code' like above,
or
read below)
4. Hacker's site will having Very much simillar GUI
and trustworthy content (also end user will see LOCK
sign of ssl. !, Very simillar uri in addressbar, or
may be NO ADDRESSBAR or Even one may SHOW ACTUAL url
in addressbar )...and Insecure transactions or data
theft or anything.
5. I think (plz correct me) one of the source of
Insecurity is
when viewing the content user is clicking FAKE LINK,
by assuming it as CORRECT/ACTUAL Link,
your opinion require on
Is it possible to have Browsers (and related
standards) be made more Intelligent like when
html/xhtml/gui content is having "Link to show"
(www.actualbank.com) is different then "Link to
open"
(www.hackerpage.actualbank.com) it will Alert the
Enduser (or atleast display both links) ?
(please regret me if this is not the correct list to
post,requesting you to propmt me correct list)
--Raxit Sheth
____________________________________________________________________________________
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
Received on Thursday, 1 March 2007 16:16:36 UTC