Amir Herzberg wrote:

Lance James wrote:

This site is set so that there is a frame of inside my site. The imaginative part is that you may have to reverse the rolls to understand the impact of this ( with frame -> done via cross-user attacks

Ok, I can do the `mental exercise` and understand the attack. But I'm not sure what is new here. Yes, if a web-site allows such XSS, then even SSL won't help it - it could end up sending the _wrong_ page, protected by SSL... And in this case I don't even think we can blame browser UI; the browser actually got this `bad` page from the server...

Maybe I miss something?

Ok, XSS or not, my concern is that you have multiple Certificates within a session, and the user is not aware of the others. Yes, they are valid, but define valid within SSL certs means, I go to geotrust or some CA, use my stolen credit card and buy a valid cert.

BTW, there is a new list focsed on such issues, at

Best Regards,
Lance James
Secure Science Corporation
Author of 'Phishing Exposed'
Find out how malware is affecting your company: Get a DIA account today! - it's free!

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to