Verfied by Visa finally gets outed
Adam Bradley
adam at doublegeek.com
Tue Oct 19 19:10:58 BST 2010
On Tue, Oct 19, 2010 at 6:30 PM, Paul Barnfather <lists at barnfather.net>wrote:
> I notice they're now claiming that the "personal assurance message" is
> the approved way to ensure that VbV dialog box is genuine.
>
> Surely it's fairly trivial for a site to send a (hidden, bogus)
> request to VbV and scrape the personal assurance message that comes
> back, then display the message in a phishing dialog to get the victims
> password?
>
> Or is the VbV system secure against this attack? I still feel
> uncomfortable with it.
>
>
The personal assurance message doesn't protect against a relatively simple
MITM HTTP proxy. That should be picked up by standard SSL stuff if it's
using SSL, but of course it's in an iframe so users are never going to be
aware whether it's using SSL or not.
If it's a genuine site then I would expect the whole thing to be SSL, so a
MITM attack couldn't replace the iframe without showing at least some SSL
warnings to the user. Do we know what the attack was in this case?
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20101019/ff1a1378/attachment.htm>
More information about the ukcrypto
mailing list