[17629] in cryptography@c2.net mail archive
Re: Feature or Flaw?
daemon@ATHENA.MIT.EDU (Amir Herzberg)
Fri Jul 8 15:26:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 05 Jul 2005 17:26:46 +0200
From: Amir Herzberg <herzbea@macs.biu.ac.il>
Reply-To: herzbea@macs.biu.ac.il
To: Lance James <lancej@securescience.net>
Cc: cryptography@metzdowd.com
In-Reply-To: <42C866F3.60104@securescience.net>
Lance James wrote:
...
> https://slam.securescience.com/threats/mixed.html
>
> This site is set so that there is a frame of https://www.bankone.com
> inside my https://slam.securescience.com/threats/mixed.html site. The
> imaginative part is that you may have to reverse the rolls to understand
> the impact of this (https://www.bankone.com with
> https://slam.securescience.com frame -> done via cross-user attacks
Ok, I can do the `mental exercise` and understand the attack. But I'm
not sure what is new here. Yes, if a web-site allows such XSS, then even
SSL won't help it - it could end up sending the _wrong_ page, protected
by SSL... And in this case I don't even think we can blame browser UI;
the browser actually got this `bad` page from the server...
Maybe I miss something?
BTW, there is a new list focsed on such issues, at
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
