Hi,
This reminds me the most weird SSL related error message I have ever
seen and which is there since ages:
https://www.fbi.gov
Beside that the certificate is wrong :-)
regards,
Sebastian
On Mon, Sep 08, 2008 at 01:29:34AM +1200, Peter Gutmann wrote:
In the ongoing comedy of errors that
An employee has no reasonable expectation of privacy in personal files
stored on a company-owned computer and an employer's consent makes a
police search lawful, an appeals court says in a ruling of first
impression in New Jersey.
We conclude ... that neither the law nor society recognize as
I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):
What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?
I'm not going to
Peter == Peter Gutmann [EMAIL PROTECTED] writes:
Peter On a semi-related topic, it'd be interesting to get some
Peter discussion about FF3 removing the FF2 SSL indicators of the
Peter padlock and (more visibly) the background colour-change for
Peter the URL bar when SSL is active
Perry E. Metzger wrote:
I was shocked that several people posted in response to Peter
Gutmann's note about Wachovia, asking (I paraphrase):
What is the problem here? Wachovia's front page is only http
protected, but the login information is posted with https! Surely this
is just fine, isn't it?
At 4:16 PM +0100 9/8/08, Darren J Moffat wrote:
Hopefully this is interesting enough to get forwarded on...
Ditto. :-)
Warnings aren't enough in this context [ whey already exists ] the
only thing that will work is stopping the page being seen -
replacing it with a clearly worded
Paul Hoffman wrote:
A less extreme solution would be to make the warning the user sees on a
mixed-content page more insulting to the bank. This page contains both
encrypted and non-encrypted content and is inherently insecure. The
owner of this web site has clearly made a very poor security
Arshad Noor wrote:
A more optimal solution is to have this vulnerability accepted by
the OWASP community as a Top 10 security vulnerability; it will
have the appropriate intended effect since mitigation to the OWASP
defined vulnerabilities is required in PCI-DSS:
6.5 Develop all web
Darren Lasko wrote:
Arshad Noor wrote:
6.5 Develop all web applications based on secure coding guidelines
such as the Open Web Application Security Project guidelines
Isn't this vulnerability already in the Top 10, specifically A7 - Broken
Authentication and Session Management (
On Mon, Sep 08, 2008 at 04:16:46PM +0100, Darren J Moffat wrote:
|
| I believe the only way both of these highly dubious deployment practices
| will be stamped out is when the browsers stop allowing users to see such
| web pages. So that there becomes a directly attributable financial
| impact
10 matches
Mail list logo
