Re: Feature or Flaw?
Lance James wrote: Amir Herzberg wrote: Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the impact of this (https://www.bankone.com with https://slam.securescience.com frame - done via cross-user attacks Ok, I can do the `mental exercise` and understand the attack. But I'm not sure what is new here. Yes, if a web-site allows such XSS, then It's not the new issue - it's the concern that frames with other SSL protect information is not being indicated to the user, thus you can encrypt data with another valid cert within a frame(s) and the user will only know of the main cert from the domain that is indicated by the address bar. Well, but I don't see that this has much to do with SSL, really. The problem is that the attacker is able to cause the server to send a page controlled (partially or fully) by the attacker. This should not happen. SSL is only supposed to ensure that the client got the page as the server sent it - and this does happen. Of course, this cannot protect against an infinite list of possible errors and vulnerabilities of the server: -- XSS attacks -- Defacement -- an employee intentionally putting a script to do something ... I think that your complaint/observation is that browsers normally warn when displaying a page which is partially protected and partially not, but may not complain when displaying a page protected by cert X, but including frame protected by cert Y. Well, this can be fixed, but I'm not sure this is really important. The problem is really the fact that the page was modified in the first place. Instead of including a protected (or unprotected) frame with the rogue code, the attack could have sent the rogue code directly from the compromised site. -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Feature or Flaw?
Hi all, I wanted to introduce something that has probably been known for some time now, but has never been really addressed due to possible conflicting views of how SSL certificates should work, and where the CA's should (or should not) fit in. As we all know, the recent attention to the phishing threat vector has spawned some interesting views of how we look at certain responses that a web browser might appropriate in regards to certain conditions set by the server. Some of these include the recent javascript dialog box vulnerability, since there are requests that a javascript dialog box should display it's origin, etc... (see http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test). In light of that, I thought it might be relevant to address a question that's been on my mind, and figure that the cryptography list may be the best place to find the answer. (the answer is 42, just kidding). I've set up a site that requires a bit of imagination since I don't wish to expose any financial institutions (bankone is just a random example that I chose) that may be vulnerable to cross-user attacks, but I can tell you that this discovery of impact was done within an audit that explicitly demonstrated a problem. Also, I use a thawte signed certificate, so some mozilla browsers do not seem to regard it as a valid CA, please ignore that if you get a warning, as it is only a distraction of the real problem (aka, if it were a verisign cert it would not warn). https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the impact of this (https://www.bankone.com with https://slam.securescience.com frame - done via cross-user attacks trivially). At the bottom you will see the securescience.com certificate, but no indication of the bankone certificate. You will also not get any warnings due to the fact that the bankone certificate is validly signed by a CA. With the Cross-User threat vector, a phisher can easily use a validly signed Cert to perform a site takeover with no warning that an outside (the domain) certificate exists within the site. The lock does show that it's secure, and there are no indications that this site should not be trusted according to the rules that are dispersed to the mainstream public. Unfortunately, this Mixed attack in a cross-user scenario could be encrypting/decrypting the login page with the attacker cert and no one is the wiser without heavy inspection of the source code. Feature, or flaw? -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the impact of this (https://www.bankone.com with https://slam.securescience.com frame - done via cross-user attacks Ok, I can do the `mental exercise` and understand the attack. But I'm not sure what is new here. Yes, if a web-site allows such XSS, then even SSL won't help it - it could end up sending the _wrong_ page, protected by SSL... And in this case I don't even think we can blame browser UI; the browser actually got this `bad` page from the server... Maybe I miss something? BTW, there is a new list focsed on such issues, at http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud -- Best regards, Amir Herzberg Associate Professor Department of Computer Science Bar Ilan University http://AmirHerzberg.com Try TrustBar - improved browser security UI: http://AmirHerzberg.com/TrustBar Visit my Hall Of Shame of Unprotected Login pages: http://AmirHerzberg.com/shame - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
* Lance James: Feature, or flaw? Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? Maybe I'm just missing something. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
Amir Herzberg wrote: Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the impact of this (https://www.bankone.com with https://slam.securescience.com frame - done via cross-user attacks Ok, I can do the `mental exercise` and understand the attack. But I'm not sure what is new here. Yes, if a web-site allows such XSS, then even SSL won't help it - it could end up sending the _wrong_ page, protected by SSL... And in this case I don't even think we can blame browser UI; the browser actually got this `bad` page from the server... Maybe I miss something? Ok, XSS or not, my concern is that you have multiple Certificates within a session, and the user is not aware of the others. Yes, they are valid, but define valid within SSL certs means, I go to geotrust or some CA, use my stolen credit card and buy a valid cert. BTW, there is a new list focsed on such issues, at http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
Florian Weimer wrote: * Lance James: Feature, or flaw? Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? How would you go about doing that and still get the SSL Lock to remain as the banks? Can you give an example? Maybe I'm just missing something. -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
* Lance James: Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? How would you go about doing that and still get the SSL Lock to remain as the banks? Can you give an example? In both cases, you have the SSL lock on your own certificate. At least my browser does not provide a user interface to access the certificates of the servers from which embedded objects (or frames) were downloaded. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
Florian Weimer wrote: * Lance James: Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? How would you go about doing that and still get the SSL Lock to remain as the banks? Can you give an example? In both cases, you have the SSL lock on your own certificate. And as stated above, reverse the effect and it would be the banks in scenarios such as XSS. The Banks SSL cert is actually handling all the data, my concern is that the user is not aware of this and only trusts the domain that's indicated in the address bar's cert. At least my browser does not provide a user interface to access the certificates of the servers from which embedded objects (or frames) were downloaded. -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
Amir Herzberg wrote: Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the impact of this (https://www.bankone.com with https://slam.securescience.com frame - done via cross-user attacks Ok, I can do the `mental exercise` and understand the attack. But I'm not sure what is new here. Yes, if a web-site allows such XSS, then even SSL won't help it - it could end up sending the _wrong_ page, protected by SSL... And in this case I don't even think we can blame browser UI; the browser actually got this `bad` page from the server... It's not the new issue - it's the concern that frames with other SSL protect information is not being indicated to the user, thus you can encrypt data with another valid cert within a frame(s) and the user will only know of the main cert from the domain that is indicated by the address bar. Maybe I miss something? BTW, there is a new list focsed on such issues, at http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the impact of this (https://www.bankone.com with https://slam.securescience.com frame - done via cross-user attacks trivially). Let me get this right: here we have a page which appears to be from domain A, but in fact it has frame(s) which display domain B. This allows a page to have the content from domain B but the outward appearance is of domain A, including the SSL lock on the page which indicates this page is safe to the user. It looks like this allows one to spoof domain A quite successfully, unless I'm missing something. Jeremiah - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
* Lance James: And as stated above, reverse the effect and it would be the banks in scenarios such as XSS. In case of XSS or CSRF, you have lost anyway. The web was not designed as a presentation service for transaction processing, especially if the transactions involve significant value. If you use the web for this purpose, it's always a tradeoff. Maybe it's time to realize that all these web applications together form a huge monoculture, and to move on and diversify again. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Feature or Flaw?
Florian Weimer wrote: * Lance James: And as stated above, reverse the effect and it would be the banks in scenarios such as XSS. In case of XSS or CSRF, you have lost anyway. The web was not designed as a presentation service for transaction processing, especially if the transactions involve significant value. If you use the web for this purpose, it's always a tradeoff. Maybe it's time to realize that all these web applications together form a huge monoculture, and to move on and diversify again. Thank you - that was my point essentially. SSL is and always will be for web a broken concept. -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]