Don't trust the Lock icon either! in

Don't trust the Lock icon either! in http://www.dslreports.com/forum/r8751690 en Mon, 13 Oct 2008 04:55:41 EDT Mon, 13 Oct 2008 04:55:41 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,9237893 ephilipps : ViruScan Enterprise pops a window just by opening the forum post. I guess Microsoft will get around to this soomer or later....]]> http://www.dslreports.com/forum/remark,9237893 Fri, 30 Jan 2004 16:02:45 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8910506 HalfFull :

said by The Way Out :
Want to see something scary? Try this link:

https://www.paypal.com

It says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :|

sad...since Micro$oft is to cheap to fix the flaw, legitimate businesses will be hurt as the security problem is more publicized. Computer-challenged people won't buy on-line because they will be afraid of a scam... ]]> http://www.dslreports.com/forum/remark,8910506 Sun, 28 Dec 2003 16:03:51 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8884933 jbone_99 : I actually blocked the link from showing up using ad blocker in norton IS ]]> http://www.dslreports.com/forum/remark,8884933 Wed, 24 Dec 2003 23:19:05 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8792561 mod bait :
/extreme_sarcasm

Well, hopefully, Microsoft will give this matter several weeks or months of careful consideration and analysis, as they seem to be with the recently-announced active scripting exploits.

--
"Security is a tax on the honest." --Bruce Schneier, Beyond Fear, Copernicus, 2003]]> http://www.dslreports.com/forum/remark,8792561 Mon, 15 Dec 2003 12:48:53 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8768021 justin : thats cute. I figured there would be creative use of redirectors.

I mean - you could post one of those "Special offer" links, the ones that nobody expects to look correct because they are long and have affiliate pay-on-click codes in them? - and then redirect to a phished version of SBC DSL signup page and keep them within it. Then collect credit card numbers for days before the victims noticed.]]> http://www.dslreports.com/forum/remark,8768021 Fri, 12 Dec 2003 17:48:59 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8767960 Googled : I was thinking some more about this bug and I came up with an even scarier usage.

Using the Apache "Redirect" directive you can phish an entire site! Just put this into your httpd.conf!


Redirect /test "http://www.domainyouwant.com^A@www.domainyouhave.com"

Now anyone who visits www.domainyouhave.com/test will be redirected to the phished site! Doing this makes IE automatically modify EVERY link on the page to a phished version!

--
DirecWay DW3000 DRS, SatMex 5 1170 gateway 164, P3-533/256 MB, AOL+ 7.0 4114.10712 on 98SE w/ICS, shared to 2 x 2K Pro, 1 x Redhat Linux 7.3, 1 x Netgear 802.11b]]> http://www.dslreports.com/forum/remark,8767960 Fri, 12 Dec 2003 17:43:22 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8763624 Fireshield : Thanks justin

. You're right, it does work. Rather scary!]]> http://www.dslreports.com/forum/remark,8763624 Fri, 12 Dec 2003 09:23:39 EDT Avant Browser http://www.dslreports.com/forum/remark,8757001 petrus : I experienced the same thing using Avant Browser. Does Avant Browser somehow make IE more secure?]]> http://www.dslreports.com/forum/remark,8757001 Thu, 11 Dec 2003 16:09:15 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8756542 Urg Comcast : The address bar doesn't even say www.paypal.com
It says "https://www.paypal.com%01@secure.divo.net/notpaypal/"]]> http://www.dslreports.com/forum/remark,8756542 Thu, 11 Dec 2003 15:28:41 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8756421 kwitko : Interesting, using IE through Avant Browser, I get
»https://www.paypal.com@secure.divo.net/notpaypal/

But using IE standalone I get:
»https://www.paypal.com/

Using Firebird I get
»https://www.paypal.com%01@secure.divo.net/notpaypal/
--
"Comparing information and knowledge is like asking whether the fatness of a pig is more or less green than the designated hitter rule." -- David Guaspari ]]> http://www.dslreports.com/forum/remark,8756421 Thu, 11 Dec 2003 15:15:36 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8754332 justin : hover your link over his paypal link .. see (phish removed) ?

I added phish protection to these forums

but it did work just fine, he is right.

edit: protection will be lifted shortly just for his post. Try it later if you're still interested.]]> http://www.dslreports.com/forum/remark,8754332 Thu, 11 Dec 2003 11:32:52 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8754169 Fireshield : Hmmmm...when I click it I get »https://secure.divo.net/notpaypal/ in the address bar.

IE Version 6.0.2800.1106.xpsp2.030422-1633]]> http://www.dslreports.com/forum/remark,8754169 Thu, 11 Dec 2003 11:12:56 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8751791 espionage007 : omg no way!! you're one evil genius]]> http://www.dslreports.com/forum/remark,8751791 Thu, 11 Dec 2003 01:26:05 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8751730 justin : I figured it would work, as its just a display bug, really. Damn. I updated the news bit to link to your post demonstrating the fake encrypted site that gives no alerts about the certificate not matching what is displayed in the address bar.]]> http://www.dslreports.com/forum/remark,8751730 Thu, 11 Dec 2003 01:11:49 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8751721 The Way Out : Yes, I set it up. As long as the "real" webhost has a valid SSL certificate (and is issued by a root that is trusted by the browser), no warning is popped up at all. Scary, huh.]]> http://www.dslreports.com/forum/remark,8751721 Thu, 11 Dec 2003 01:10:03 EDT Re: Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8751713 justin : Did you knock this site up? i was going to try an https redirect to see if it could be done, it seemed like it could but I didn't have a domain handy.]]> http://www.dslreports.com/forum/remark,8751713 Thu, 11 Dec 2003 01:07:58 EDT Don't trust the Lock icon either! http://www.dslreports.com/forum/remark,8751690 The Way Out : Want to see something scary? Try this link:

https://www.paypal.com

It says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :|]]> http://www.dslreports.com/forum/remark,8751690 Thu, 11 Dec 2003 01:03:36 EDT