centralasian (centralasian) wrote,

____________________[PRO] Fake Authentisity

"Pretty soon, we're going to need a new vocabulary for phishing attacks. The one broken recently on the Netcraft site demonstrated at and just reported in the Herald is not an "SSL attack" as such.

Rather, the "visual spoofing" technique is a very sophisticated social engineering attack against the oversimplification of the user interface.

The long-standing fear in the software industry and on the Internet is that if things are hard to use, people won't use them. Gradually, the notion of "ease of use" has been called on to support the idea that any and all inconvenience destroys usability and productivity and should be eliminated.

In SSL, this means users are trained not to seek out difficult information such as the certificate used to secure a conversation; instead, browser vendors (and application providers such as e-commerce sites) teach users to look for the "lock" symbol.

A recent attack on this used a valid certificate from the wrong site; the lock symbol showed that a certificate had been presented, and only the most diligent user would check the certificate's details.

Another form of social engineering attack has emerged, in which the attacker merely creates a composite of image and HTML page to give the user a graphic of the lock key in the correct state.

This "visual spoofing" does not in any way compromise SSL - it doesn't even have to try to create an SSL session. It is an attack on user interface design. - - Social engineering with the visual spoof, by Richard Chirgwin.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded 

  • 1 comment