[3971] in WWW Security List Archive
Re: Javascript and Security
daemon@ATHENA.MIT.EDU (Abigail)
Mon Jan 13 22:27:47 1997
To: jacob@whiteshell.com (Jacob Rose)
Date: Mon, 13 Jan 1997 20:29:42 -0500 (EST)
From: "Abigail" <abigail@ny.fnx.com>
Cc: ocean5@ix.netcom.com, www-security@ns2.rutgers.edu
Reply-To: abigail@ny.fnx.com
In-Reply-To: <Pine.ULT.3.93.970111092418.6939A-100000@hummingbird.whiteshell.com> from "Jacob Rose" at Jan 11, 97 09:33:59 am
Errors-To: owner-www-security@ns2.rutgers.edu
You, Jacob Rose, wrote:
++
++ Javascript might be an aide to someone trying to spoof a site, but
++ remember that the fundamental structure of the Web is really the problem.
++
++ All someone would really have to do to watch a large number of people as
++ they use the web would be to build a web filter (like the infamous Zippy
++ the Pinhead filter) that works quietly and has a promising looking front
++ door ("New search engine!" for instance), or to crack someone else's
++ popular site that has links often followed.
++
++ Perhaps the thing to do would be to build an uncopyable symbol on the top
++ level of a site with a statement that indicates that that symbol should be
++ visible throughout the site, and if it goes away, security may have been
++ breached. A java applet that talks to the server might be one way.
++ Another might be to use server pushes. Any ideas on how it could be done?
Such a symbol won't help. First of all, there is no such thing as
"uncopyable". Second, the attacker might just include/proxy the
inlined symbol. And third, the moment you notice the symbol is gone
can mean it is too late. If all you do is change the address the
information (like credit card numbers) of a form is send to, and
it isn't untill the information reached the attacker you get a page
without a symbol.
Abigail
