Joshua Slive wrote:
On 2/6/06, Mark McCulligh <mmcculli@xxxxxxxxxxxxx> wrote:The client should alway be logging in on their website for I hope they reallize if they where not on their website.I'm not sure if you understood or not, but my point was that a man-in-the-middle could make it look exactly like they were on their own site. He could simply replace the target URL on the form to point to his own site. (If you checked the URL-bar, you might see after-the-fact that you had gone to the wrong site. But the data would already be stolen.)
I think you misunderstood my reply. I was just trying to explain my setup.This type of attack can be pulled off even if the login form is secured. The attacker just has create a login page that looks like mine and get the user to use it. A lot of users won't realize they are on the wrong website and the lock(secure) is missing. We have all seen those Paypal emails that try and get you to click on the link and login.
Mark.
Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- ___________________________________________ Mark McCulligh, Web Consultant VisualTech Components www.VisualTech.ca mmcculli@xxxxxxxxxxxxx (519)318-7905 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|