W3C home > Mailing lists > Public > w3c-wai-ig@w3.org > April to June 2004

Re: Important to disable scripting in IE again.

From: David Woolley <david@djwhome.demon.co.uk>
Date: Wed, 16 Jun 2004 07:58:20 +0100 (BST)
Message-Id: <200406160658.i5G6wKJ01557@djwhome.demon.co.uk>
To: w3c-wai-ig@w3.org

> I need to be educated about this one.  What is the rather technical thing
> a user needs to do to make SSL work properly?

They need to open up the certificate and look at the subject and confirm
that the subject is the organisation they think they are communicating
with.

> Are you saying the user went to the wrong site?  Wouldn't that be user

That's one route, and is what phishing and typo squatting attempt to
exploit - typo squatting isn't normally associated with an SSL 
exploit, but could be.

The other routes are by subversion of DNS or IP routing, and by
domain name obfuscation (although recent fixes to IE, to reduce
functionality, do reduce the last risk somewhat).

Either way, protection against your customers going to the wrong site
is the only valid security reason for paying money to people like
Verisign.  If you simply want encryption, you can self sign your own
SSL certificates.  The other reason of course is that a proportion of
users would object to an unverifiable certificate diagnostic, without
actually understanding that a verified certificate is near meaningless
unless you verify the URL or subject.  (It does tell you that 
the issuer verified the subject's identity at some level, but probably
not the level that a bank would request and not against who they
might pretend to be.)

To the extent that accessing the wrong site is not an issue, the 
root certificate issuing companies are obtaining money under false
pretences.

If you take one of my online banks, their URL is www.xxxxxxxxxx.co.uk,
(were xxxxxxxxxx is their well known trading name), but their secure
site is something like olb2.xxxxxnet.com, where the prefix is certainly
not enough to have prevented someone completely different from having
registered that domain.  Like all UK banks, they have been subject to
phishing attempts.  (I did try to email them about this in the context
of a phishing attack, but got a stock response to people responding
to phishing attacks, from a minion - a general big organisation problem.)

My other online bank, at least at one time was unsuable without scripting,
and had, and may still have, a typo squatter relying on one typing a 
double letter as a triple.  Fortunately that typo-squatter doesn't pretent
to be a banking site.  In this case, the secure site name is a reasonable
match with the obvious domain name.

> the job of security departments.  Please don't imply that bank sites
> are not among the most secure sites unless you have some facts to 

The sort of attacks here don't attempt to break into the bank site, they
attempt to break into the bank account, by compromising the user's 
authentication data, possibly by compromising their machine as a whole.
The consequences of banks insisting on scripting are an increased
likelihood of other sites compomising the client.  This may indirectly
compromise the banking site, as banking details are a high priority
target for attackers.  Basically the insistence on scripting by a bank
encourages their customers to use unsafe practices when accessing 
less reputable sites.

Note that phishing attacks are successful, even though internet based
ones would be impossible if people verified the domain name/certificate
subject, properly.
Received on Wednesday, 16 June 2004 02:58:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 07:13:33 UTC