On Mon, Jun 28, 2010 at 1:30 PM, Dan Kaminsky <[email protected]> wrote: > >> In summary, any http hit on an insecure network is dangerous on all >> browsers. >> (FWIW, Chromium resolves this for me. When I type mail<enter> into the >> omnibar, it auto-completes to https://mail.google.com/) >> > > Actually, I see this as a legitimate gap. HTTP links don't cache-mix with > HTTPS links, and cookies can have server-side integrity checking to prevent > HTTP pollution (lets not talk about the secure tag for cookies), but if it > is indeed the case that there is no way to have a HTTPS-exclusive > Application Cache, then that is a feature killing bug that's been > legitimately called out.
Eh? Lava's attack poisons a plain HTTP resource. As per "regular" caching, Application Cache is supposed to separate the effects of HTTP and HTTPS responses. Cheers Chris > > --Dan > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
