[17636] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Feature or Flaw?

daemon@ATHENA.MIT.EDU (Lance James)
Fri Jul 8 15:26:38 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 05 Jul 2005 08:45:02 -0700
From: Lance James <lancej@securescience.net>
To: herzbea@macs.biu.ac.il
Cc: cryptography@metzdowd.com
In-Reply-To: <42CAA6B6.4070808@cs.biu.ac.il>

Amir Herzberg wrote:

> Lance James wrote:
> ...
>  > https://slam.securescience.com/threats/mixed.html
>
>>
>> This site is set so that there is a frame of https://www.bankone.com 
>> inside my https://slam.securescience.com/threats/mixed.html site. The 
>> imaginative part is that you may have to reverse the rolls to 
>> understand the impact of this (https://www.bankone.com with 
>> https://slam.securescience.com frame -> done via cross-user attacks
>
>
> Ok, I can do the `mental exercise` and understand the attack. But I'm 
> not sure what is new here. Yes, if a web-site allows such XSS, then 
> even SSL won't help it - it could end up sending the _wrong_ page, 
> protected by SSL... And in this case I don't even think we can blame 
> browser UI; the browser actually got this `bad` page from the server...
>

It's not the "new" issue - it's the concern that frames with other SSL 
protect information is not being indicated to the user, thus you can 
encrypt data with another valid cert within a frame(s) and the user will 
only know of the main cert from the domain that is indicated by the 
address bar.

> Maybe I miss something?
>
> BTW, there is a new list focsed on such issues, at 
> http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud



-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
home help back first fref pref prev next nref lref last post