On Mon, Sep 08, 2008 at 04:16:46PM +0100, Darren J Moffat wrote:
|
| I believe the only way both of these highly dubious deployment practices
| will be stamped out is when the browsers stop allowing users to see such
| web pages. So that there becomes a directly attributable financial
| impact
Darren Lasko wrote:
Arshad Noor wrote:
"6.5 Develop all web applications based on secure coding guidelines
such as the Open Web Application Security Project guidelines"
Isn't this vulnerability already in the Top 10, specifically "A7 - Broken
Authentication and Session Management" (
http:/
Arshad Noor wrote:
> A more optimal solution is to have this vulnerability accepted by
> the OWASP community as a "Top 10" security vulnerability; it will
> have the appropriate intended effect since mitigation to the OWASP
> defined vulnerabilities is required in PCI-DSS:
>
> "6.5 Develop all web
Paul Hoffman wrote:
A less extreme solution would be to make the warning the user sees on a
mixed-content page more insulting to the bank. "This page contains both
encrypted and non-encrypted content and is inherently insecure. The
owner of this web site has clearly made a very poor security
At 4:16 PM +0100 9/8/08, Darren J Moffat wrote:
Hopefully this is interesting enough to get forwarded on...
Ditto. :-)
Warnings aren't enough in this context [ whey already exists ] the
only thing that will work is stopping the page being seen -
replacing it with a clearly worded explanation
Perry E. Metzger wrote:
I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):
"What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?
> "Peter" == Peter Gutmann <[EMAIL PROTECTED]> writes:
Peter> On a semi-related topic, it'd be interesting to get some
Peter> discussion about FF3 removing the FF2 SSL indicators of the
Peter> padlock and (more visibly) the background colour-change for
Peter> the URL bar when S
I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):
"What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?"
I'm not going to expla
An employee has no reasonable expectation of privacy in personal files
stored on a company-owned computer and an employer's consent makes a
police search lawful, an appeals court says in a ruling of first
impression in New Jersey.
"We conclude ... that neither the law nor society recognize as
legi
Peter Gutmann wrote:
IanG <[EMAIL PROTECTED]> writes:
4. Skype. Doesn't do email, but aside from that minor character flaw, it
cracked everything else. It's the best example of what it should look like.
The UI still leaves quite a lot to be desired. Try sitting a non-geek user in
front of
Hi,
This reminds me the most weird SSL related error message I have ever
seen and which is there since ages:
https://www.fbi.gov
Beside that the certificate is wrong :-)
regards,
Sebastian
On Mon, Sep 08, 2008 at 01:29:34AM +1200, Peter Gutmann wrote:
> In the ongoing comedy of errors that i
11 matches
Mail list logo