<div class="gmail_quote">On Tue, Oct 19, 2010 at 6:30 PM, Paul Barnfather <span dir="ltr"><<a href="mailto:lists@barnfather.net">lists@barnfather.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">I notice they're now claiming that the "personal assurance message" is</div>
the approved way to ensure that VbV dialog box is genuine.<br>
<br>
Surely it's fairly trivial for a site to send a (hidden, bogus)<br>
request to VbV and scrape the personal assurance message that comes<br>
back, then display the message in a phishing dialog to get the victims<br>
password?<br>
<br>
Or is the VbV system secure against this attack? I still feel<br>
uncomfortable with it.<br>
<br>
</blockquote></div><br><div>The personal assurance message doesn't protect against a relatively simple MITM HTTP proxy. That should be picked up by standard SSL stuff if it's using SSL, but of course it's in an iframe so users are never going to be aware whether it's using SSL or not.</div>
<div>If it's a genuine site then I would expect the whole thing to be SSL, so a MITM attack couldn't replace the iframe without showing at least some SSL warnings to the user. Do we know what the attack was in this case?</div>
<div><br></div><div> Adam</div>