https://tanguy.ortolo.eu/blog/article73/smartphone-phisher en a blog about Debian and self-hosting Sun, 16 Dec 2012 04:35:00 +0000 PluXml https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1355632506-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1355632506-1 firefox mobile est pas mal, mais le coup du remplacement de l'url par la balise titre est sans doute la décision la plus idiote de toute l'histoire de mozilla Sun, 16 Dec 2012 04:35:00 +0000 farvardin https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350382024-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350382024-1 @Guillaume, @Gabriel, this attack is not limited to banks, for instance replace the bank website by a blog, with a « login with facebook » button for comments, redirecting to something that looks like a Facebook login page. @Chris Cunningham : Well, this page does not exist, so this is only a fictitious example. Simply consider that the evil pirate can wery well secure its phishing website with a perfectly valid certificate for his domain name “evilpirate.net”. Now, I am not sure of what you mean by “random binaries they download off random FTP sites”, perhaps you should be more specific. Tue, 16 Oct 2012 10:07:00 +0000 Tanguy https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350381637-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350381637-1 @glandium : Too bad there is no longer a way to test it without having to buy an appropriate mobile phone then. I would not have been able to take those screenshots without that obsolete but presented as up-to-date GNU/Linux version. It should be removed indeed, because it is really misleading. @Gabriel : Actually I am. I have several types of passwords, ranging from very secure to not really secure for systems that do not accept special characters, and one very unsecure password for lame systems that only accept a handful of digits, or to name them: banks. Fortunately they use a counter that burns the login after three unsuccessful login trials, which limits the brute force attack vulnerability. Tue, 16 Oct 2012 10:00:00 +0000 Tanguy https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350381521-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350381521-1 The first thing I get when accessing that URL on mobile Firefox is a full-page, extremely scary warning about an insecure connection to evilpirate.net. I'm going to assume that the hidden moral of this story is that supposedly technical competent people running their own Linux distros on their mobile devices should not assume that random binaries they download off random FTP sites indicate the latest supported secure version of whatever they purport to be. - Chris Tue, 16 Oct 2012 09:58:00 +0000 Chris Cunningham https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350380214-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350380214-1 Not worried about the fact that this site use a 4 digit password to access your accounts? Tue, 16 Oct 2012 09:36:00 +0000 Gabriel https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350378853-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350378853-1 Well, I tried the Android Browser, and it seems like it will always show the URL for https:// sites. Also Chrome on Android always shows the address bar. So hopefully most Android users are safe by default Tue, 16 Oct 2012 09:14:00 +0000 Andre Klärner https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350370107-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350370107-1 @Tanguy: that's very outdated and shouldn't be there at all. There are no desktop builds of Firefox mobile anymore. Tue, 16 Oct 2012 06:48:00 +0000 glandium https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350333998-1 https://tanguy.ortolo.eu/blog/article73/smartphone-phisher/#c1350333998-1 @glandium : No, this is the last available build for GNU/Linux i386, available at http://www.mozilla.org/fr/mobile/ . Version Fennec 4.0.1 as it appears to be. Mon, 15 Oct 2012 20:46:00 +0000 Tanguy