Amir Herzberg wrote:
Lance James wrote:
...
> https://slam.securescience.com/threats/mixed.html
This site is set so that there is a frame of https://www.bankone.com
inside my https://slam.securescience.com/threats/mixed.html site. The
imaginative part is that you may have to reverse the rolls to
understand the impact of this (https://www.bankone.com with
https://slam.securescience.com frame -> done via cross-user attacks
Ok, I can do the `mental exercise` and understand the attack. But I'm
not sure what is new here. Yes, if a web-site allows such XSS, then
even SSL won't help it - it could end up sending the _wrong_ page,
protected by SSL... And in this case I don't even think we can blame
browser UI; the browser actually got this `bad` page from the server...
It's not the "new" issue - it's the concern that frames with other SSL
protect information is not being indicated to the user, thus you can
encrypt data with another valid cert within a frame(s) and the user will
only know of the main cert from the domain that is indicated by the
address bar.
Maybe I miss something?
BTW, there is a new list focsed on such issues, at
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
