[Owasp-Malaysia] twitter with HTTPS

najmi.zabidi at gmail.com najmi.zabidi at gmail.com
Fri Mar 18 07:18:34 EDT 2011


twitter got oauth stuffs.
and I rarely check on the real twitter pages.

for me usually check on twitter update using ChromedBird and Tweetdeck.
and twidge if using CLI.

for the SSL stuffs, hmm if it's self-signed cert, the user will be
alerted first by the browser (regardless fake, real domain).
not sure if the phishers are willing to involve 3rd party cert
provider to get one.
but i think it's not impossible, seems it brings "good money" if it's working.

to be safe, get DontPhishMe installed. Peace of mind.

maybe in future DontTweetMe or DontClickJackMe .. who knows.



On Fri, Mar 18, 2011 at 7:10 PM, Mohd Kamal Bin Mustafa <kamal at smach.net> wrote:
> On Fri, Mar 18, 2011 at 10:16 AM, najmi.zabidi at gmail.com
> <najmi.zabidi at gmail.com> wrote:
>> hmm tested.
>> in my chromium, when i disabled HTTPS, the URL Bar doesn't show the
>> "green" https status.
>>
>> so i would say https isn't by default.
>
> If they really care about security, even the main page should be in
> https otherwise someone could still hijack the main page and replace
> the link to login page to something like https://twetter.com/login and
> end user seeing the lock key in their browser would be deem it as
> safe.
>
> Even online banking didn't do it right by providing the main page in
> plain http. Imagine going to www.maybank2u.com.my, someone can replace
> the login link to
> https://www.meybank2u.com.my/mbb/m2u/common/M2ULogin.do?action=Login.
> To the end user, everything look fine:-
>
> 1. They type the url to maybank2u directly instead of clicking any link.
> 2. They can see the lock icon in their browser when clicking the login link.
> 3. The page look like the real maybank2u site.
>
> Unless they checked the SSL cert information on the login link or look
> closely at url in the address bar (80% chance end user wouldn't do
> this I guess), they 0wn3d already. Someone pls proved me wrong on
> this.
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.my
>
> OWASP Malaysia Facebook
> http://www.facebook.com/OWASP.Malaysia
>
> OWASP Malaysia Twitter #owaspmy
> http://www.twitter.com/owaspmy
>



-- 
Join #ISOC [Internet Society] today and create connections with
Internet Users around the world!

Simplified Link: http://goo.gl/xmG90


More information about the Owasp-Malaysia mailing list