On 2/6/06, Mark McCulligh <mmcculli@xxxxxxxxxxxxx> wrote: > > This type of attack can be pulled off even if the login form is secured. > The attacker just has create a login page that looks like mine and get > the user to use it. A lot of users won't realize they are on the wrong > website and the lock(secure) is missing. We have all seen those Paypal > emails that try and get you to click on the link and login. Yes, it is easy to fool the average user. The difference with the man-in-the-middle attack is that it would fool a relatively sophisticated user. There is essentially no way to tell your info is about to be stolen unless you view-source and analyze the code. For the other attacks you mention, a quick look at the URL bar will tell the story. (But I agree that most users don't even bother to do that.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|