Monday, February 18, 2008

Updated Liberty Open Source

I've updated my Liberty ID-WSF Open Source Toolkits again. This time to reflect the minor changes made in the Advanced Client specifications as they were finalized within the Alliance.

For those of you who aren't familiar with this code, I have two toolkits available -- a C++ client and an Axis1/Java Server -- which implement the Liberty ID-WSF protocols (both the basic framework and substantial portions of several services).

This new release of the toolkit does not add new functionality -- it only brings the code up to match the final specifications.

Have fun!

Tags : / / / / / /

Saturday, February 16, 2008

What's wrong with this picture?

I went to login to my discover card account to review my account activity (something I try to do on a regular basis). Using a bookmark (to make sure I don't accidentally enter a typo that gets me to a hackers site -- plus I'm lazy and a single click is easier than typing in the URL), I get to the web site and I notice something that isn't right (in my opinion). Take a look at the picture below and tell me if you see it before reading past it.

Look at the URL. It's non-SSL (http: vs https:). When I noticed that, I figured that somehow my bookmark was messed up, but looking at the bookmark, it does specify https:. What happens is that Discover is redirecting you from the SSL endpoint to the non-SSL endpoint. This happens with IE and with Mozilla whether directly connected or through a proxy server, so it's clearly something done on the server and not a side effect of the client.

That wouldn't be all that bad if Discover just had a link on the home page directing me to a login page that was SSL protected. That isn't the case. The home page prompts for the user's credentials. Now the technical people out there might say that the data from the login form is probably submitted via an SSL endpoint so the data is protected. However, without looking at the source code, the user can't know that.

In addition, since the URL itself isn't protected, the user (me in this case) doesn't have any way to know that they are actually talking to Discover. This could be a MITM phishing site.

So, if you do go to Discover's site to view your account, I suggest that you select the login link in the upper right corner before you enter your credentials. This will bring you to an SSL protected page where you can verify that the host you are talking to is discovercard.com and not some MITM.

Tags : / /