struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oscar <oscar.kalde...@gmail.com>
Subject Re: Avoid Phishing in Struts Applications plugin
Date Mon, 06 Sep 2010 17:58:20 GMT
Ok, i got it. Thanks so much for the info.

2010/9/6 Dale Newfield <dale@newfield.org>

> Examples of why SiteKey really isn't sufficient:
> http://antivirus.about.com/b/2010/03/23/bank-of-america-sitekey-scam.htm
>
> http://www.aviransplace.com/2007/02/05/study-finds-bank-of-america-sitekey-is-flawed/
> (As well as the fact that it's possible for a phishing site to use the same
> provided ID to ask the real site what sitekey should be shown to the end
> user, effectively a man-in-the-middle attack, illustrated at
> https://www.sestus.com/vt/sitekeyMITM.asp )
>
> Some other company's solution that appears to involve users having to store
> a keyfile on their machine, but it seems that would make it impossible to
> log into the site from a random machine (or a mobile device like the iphone
> that doesn't have an available filestore), and I don't see what prevents
> those users from being duped into providing that keyfile to a phisher.
> https://www.sestus.com/vt/comparesitekey.asp
>
> It's a hard problem, and it mostly happens *outside* your app, so good luck
> solving it within your app. :-(
>
> -Dale
>



-- 
Oscar Calderón
SCJP 6  <http://javahowto.net>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message