[17632] in cryptography@c2.net mail archive
Re: Feature or Flaw?
daemon@ATHENA.MIT.EDU (Lance James)
Fri Jul 8 15:26:37 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 05 Jul 2005 08:09:19 -0700
From: Lance James <lancej@securescience.net>
To: herzbea@macs.biu.ac.il
Cc: cryptography@metzdowd.com
In-Reply-To: <42CAA6B6.4070808@cs.biu.ac.il>
Amir Herzberg wrote:
> Lance James wrote:
> ...
> > https://slam.securescience.com/threats/mixed.html
>
>>
>> This site is set so that there is a frame of https://www.bankone.com
>> inside my https://slam.securescience.com/threats/mixed.html site. The
>> imaginative part is that you may have to reverse the rolls to
>> understand the impact of this (https://www.bankone.com with
>> https://slam.securescience.com frame -> done via cross-user attacks
>
>
> Ok, I can do the `mental exercise` and understand the attack. But I'm
> not sure what is new here. Yes, if a web-site allows such XSS, then
> even SSL won't help it - it could end up sending the _wrong_ page,
> protected by SSL... And in this case I don't even think we can blame
> browser UI; the browser actually got this `bad` page from the server...
>
> Maybe I miss something?
Ok, XSS or not, my concern is that you have multiple Certificates within
a session, and the user is not aware of the others. Yes, they are valid,
but define valid within SSL certs means, I go to geotrust or some CA,
use my stolen credit card and buy a valid cert.
>
>
> BTW, there is a new list focsed on such issues, at
> http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
