Duane wrote:
"Firstly we have to talk about where this piece of code has to be:
- Many websites run a guestbook that allowes to insert html.
- Some providers allow their users to run a private website at
www.domain.com/user or www.domain.com/~user.
- Some provider give users a subdomain like user.domain.com
- Some ISP don't allow you to access domain.com but only www.domain.com
Secondly we have to think about who might be allowed to change this
index page:
- Some WIKIs allow everyone to change their index page
- Some pages have a newsticker on their index page that can be
updated by normal users (e.g. www.fsi.uni-tuebingen.de)
- Websites are often run by a multimedia/design/... department
that has nothing to do with administration."
... and...
"Many websites run php/cgi/whatever scripts that are vulnerable to
code-injection, and would allow to put the cacert code wherever the
attacker likes to. phpBB comes to mind, and so many other
applications."
Good stuff. Remember, there are no absolutely
secure systems. Do not let the perfect be the
enemy of the good. If you want references, I can
supply...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
