Re: Feature or Flaw?

2005-07-06 Thread Amir Herzberg
Lance James wrote: Amir Herzberg wrote: Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may

Feature or Flaw?

2005-07-05 Thread Lance James
should not be trusted according to the rules that are dispersed to the mainstream public. Unfortunately, this Mixed attack in a cross-user scenario could be encrypting/decrypting the login page with the attacker cert and no one is the wiser without heavy inspection of the source code. Feature

Re: Feature or Flaw?

2005-07-05 Thread Amir Herzberg
Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the

Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James: Feature, or flaw? Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? Maybe I'm just missing something. - The Cryptography Mailing List Unsubscribe by sending

Re: Feature or Flaw?

2005-07-05 Thread Lance James
Amir Herzberg wrote: Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the

Re: Feature or Flaw?

2005-07-05 Thread Lance James
Florian Weimer wrote: * Lance James: Feature, or flaw? Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? How would you go about doing that and still get the SSL Lock to remain as the banks? Can you give an example? Maybe I'm

Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James: Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? How would you go about doing that and still get the SSL Lock to remain as the banks? Can you give an example? In both cases, you have the SSL lock on your own certificate. At

Re: Feature or Flaw?

2005-07-05 Thread Lance James
Florian Weimer wrote: * Lance James: Couldn't you just copy (or proxy all content) and get the same effect without using frames at all? How would you go about doing that and still get the SSL Lock to remain as the banks? Can you give an example? In both cases, you have

Re: Feature or Flaw?

2005-07-05 Thread Lance James
Amir Herzberg wrote: Lance James wrote: ... https://slam.securescience.com/threats/mixed.html This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the

Re: Feature or Flaw?

2005-07-05 Thread Jeremiah Rogers
This site is set so that there is a frame of https://www.bankone.com inside my https://slam.securescience.com/threats/mixed.html site. The imaginative part is that you may have to reverse the rolls to understand the impact of this (https://www.bankone.com with

Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James: And as stated above, reverse the effect and it would be the banks in scenarios such as XSS. In case of XSS or CSRF, you have lost anyway. The web was not designed as a presentation service for transaction processing, especially if the transactions involve significant value.

Re: Feature or Flaw?

2005-07-05 Thread Lance James
Florian Weimer wrote: * Lance James: And as stated above, reverse the effect and it would be the banks in scenarios such as XSS. In case of XSS or CSRF, you have lost anyway. The web was not designed as a presentation service for transaction processing, especially if the