2

One common security advise is to open sites only from bookmarks (see also Explain to non tech savvy person how to check that your connection to mybank.com is safe? ). This approach fails if a site needs a verification token from another site which requires login. (Site A redirects the user to site B with authorization request as parameter. User logs in/authorizes the request at site B. User gets redirected to site A with a verification token as parameter.) A problem arises if site A redirects the user to phishing site C which looks similar to site B and collects the user credentials.

Of course the user could in theory check if this is site B and not C. But in practice there are many problems:

  • checking every character every time is annoying and will not be done after a few times
  • there are many similar looking characters (homographs)
  • authorization sites URLs are sometimes different than the main page and it is hard to remember all of them for different sites (was it my-bank.com / my-bаnk.com / mybank.com / my-bank.org / my-bank-auth.com / auth.my-bank.com ?)

So what is a userfriendly way to check if you aren't entering your credentials on a phishing site when you got there redirected?

H. Idden
  • 2,988
  • 1
  • 10
  • 19

1 Answers1

1

All of the advice provided on the question you linked is already sufficient to verify the login process even when an external provider is used. You just have to repeat the process on every page you're redirected to.

If you're worried about homoglyphs or typo-squatters, then you need to just check the certificate in a little more detail. Most web browsers (desktop browsers, at least) have a feature that lets you see all the pertinent details of a website's certificate, most importantly including the organization it was issued to and information about the issuing Certificate Authority.

If the certificate is valid for the given server or domain, issued to an organization you trust, and issued from a reputable Certificate Authority, then you can be reasonably assured that you're not dealing with some sort of spoofed server.

Sure, attackers can use homoglyphs or typo-squatting to make their server/domain look like it has a name your bank might use. But they'd have to go to great lengths to get a verified certificate that actually looks like it was issued to your bank from a reputable CA. If they really can get that far, no amount of verification on your end is likely to spot any problems.

Come to think, nearly every check that you might manually do on the site or it's certificate (at least, any check that would be "user friendly") is already being done by your browser. So, unless your local system is already compromised (at which point it really doesn't matter if you're actually on your bank's site or not anyway), there's not likely anything about an attacker's site that you'd find by doing any extra checks which wouldn't already be red-flagged by your browser.

Just keep an eye on that "lock" icon, make sure there's no warning signs (green "Extended Validation" certificates are ideal, but strictly optional) on every page, and you should be fine.

Iszi
  • 26,997
  • 18
  • 98
  • 163