[3964] in WWW Security List Archive
Re: Javascript and Security
daemon@ATHENA.MIT.EDU (Geoffrey Leeming)
Mon Jan 13 06:52:52 1997
To: Jacob Rose <jacob@whiteshell.com>, www-security@ns2.rutgers.edu
From: Geoffrey Leeming <geoffrey@indiciis.com>
Date: Mon, 13 Jan 1997 10:01:37 +0100
Errors-To: owner-www-security@ns2.rutgers.edu
At 03:33 PM 11/1/97 +0100, you wrote:
>Perhaps the thing to do would be to build an uncopyable symbol on the top
>level of a site with a statement that indicates that that symbol should be
>visible throughout the site, and if it goes away, security may have been
>breached. A java applet that talks to the server might be one way.
>Another might be to use server pushes. Any ideas on how it could be done?
It's a very nice idea: not only would it provide a useful security function,
but it would also give that important impression of security to the user
that is so helpful in building up a culture of security.
HOWEVER, (you knew that was coming, didn't you?) it might not be that feasible.
One potential web-spoofing attacks is to route page requests through the
attacker's site, so that any security-relevant information can be picked up
en route.
So if person A wants to get to www.real-site.com, the attacker perverts a
link to point to www.attacker's-site.com:www.real-site.com.
(This of course only works if you're following page-embedded links or if the
attacker can get at your bookmarks file.)
So any information that www.real-site.com sends out, including the
uncopyable symbol, gets passed on to the user, even though the attacker has
not copied anything from the target site.
Geoffrey Leeming 0171 592 3007 - Office Direct Dial
Consultant 0171 836 0567 - Fax
Indicii Salus Ltd. 0956 844 168 - Mobile
