I've been reading a paper (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on vulnerabilities in financial web sites presented last week at Carnegie Mellon and I'm curious about a statement in it: "Under no circumstance should an insecure page make a transition to a security-sensitive website hosted on another domain, regardless of whether the destination site uses SSL."
So for example, a link from http://www.bigbankhomepage.com to https://www.bigbanksecurebanking.com/ is inherently insecure. But a link from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com isn't? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ <http://security.eweek.com/> http://blogs.pcmag.com/securitywatch/ <http://blogs.pcmag.com/securitywatch/> Contributing Editor, PC Magazine [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
