Re: Feature or Flaw?

2005-07-06 Thread Amir Herzberg

Lance James wrote:

Amir Herzberg wrote:

Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html



This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to 
understand the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks


Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then 


It's not the new issue - it's the concern that frames with other SSL 
protect information is not being indicated to the user, thus you can 
encrypt data with another valid cert within a frame(s) and the user will 
only know of the main cert from the domain that is indicated by the 
address bar.
Well, but I don't see that this has much to do with SSL, really. The 
problem is that the attacker is able to cause the server to send a page 
controlled (partially or fully) by the attacker. This should not happen. 
SSL is only supposed to ensure that the client got the page as the 
server sent it - and this does happen. Of course, this cannot protect 
against an infinite list of possible errors and vulnerabilities of the 
server:

-- XSS attacks
-- Defacement
-- an employee intentionally putting a script to do something
...
I think that your complaint/observation is that browsers normally warn 
when displaying a page which is partially protected and partially not, 
but may not complain when displaying a page protected by cert X, but 
including frame protected by cert Y. Well, this can be fixed, but I'm 
not sure this is really important. The problem is really the fact that 
the page was modified in the first place. Instead of including a 
protected (or unprotected) frame with the rogue code, the attack could 
have sent the rogue code directly from the compromised site.

--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Amir Herzberg

Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html


This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to understand 
the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks


Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then even 
SSL won't help it - it could end up sending the _wrong_ page, protected 
by SSL... And in this case I don't even think we can blame browser UI; 
the browser actually got this `bad` page from the server...


Maybe I miss something?

BTW, there is a new list focsed on such issues, at 
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud

--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James:

 Feature, or flaw?

Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?

Maybe I'm just missing something.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Amir Herzberg wrote:


Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html



This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to 
understand the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks



Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then 
even SSL won't help it - it could end up sending the _wrong_ page, 
protected by SSL... And in this case I don't even think we can blame 
browser UI; the browser actually got this `bad` page from the server...


Maybe I miss something?



Ok, XSS or not, my concern is that you have multiple Certificates within 
a session, and the user is not aware of the others. Yes, they are valid, 
but define valid within SSL certs means, I go to geotrust or some CA, 
use my stolen credit card and buy a valid cert.





BTW, there is a new list focsed on such issues, at 
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Florian Weimer wrote:


* Lance James:

 


Feature, or flaw?
   



Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?
 



How would you go about doing that and still get the SSL Lock to remain 
as the banks? Can you give an example?



Maybe I'm just missing something.


 




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James:

Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?

 How would you go about doing that and still get the SSL Lock to remain 
 as the banks? Can you give an example?

In both cases, you have the SSL lock on your own certificate.

At least my browser does not provide a user interface to access the
certificates of the servers from which embedded objects (or frames)
were downloaded.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Florian Weimer wrote:


* Lance James:

 


Couldn't you just copy (or proxy all content) and get the same effect
without using frames at all?
 



 

How would you go about doing that and still get the SSL Lock to remain 
as the banks? Can you give an example?
   



In both cases, you have the SSL lock on your own certificate.
 



And as stated above, reverse the effect and it would be the banks in 
scenarios such as XSS. The Banks SSL cert is actually handling all the 
data, my concern is that the user is not aware of this and only trusts 
the domain that's indicated in the address bar's cert.



At least my browser does not provide a user interface to access the
certificates of the servers from which embedded objects (or frames)
were downloaded.


 




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Amir Herzberg wrote:


Lance James wrote:
...
  https://slam.securescience.com/threats/mixed.html



This site is set so that there is a frame of https://www.bankone.com 
inside my https://slam.securescience.com/threats/mixed.html site. The 
imaginative part is that you may have to reverse the rolls to 
understand the impact of this (https://www.bankone.com with 
https://slam.securescience.com frame - done via cross-user attacks



Ok, I can do the `mental exercise` and understand the attack. But I'm 
not sure what is new here. Yes, if a web-site allows such XSS, then 
even SSL won't help it - it could end up sending the _wrong_ page, 
protected by SSL... And in this case I don't even think we can blame 
browser UI; the browser actually got this `bad` page from the server...




It's not the new issue - it's the concern that frames with other SSL 
protect information is not being indicated to the user, thus you can 
encrypt data with another valid cert within a frame(s) and the user will 
only know of the main cert from the domain that is indicated by the 
address bar.



Maybe I miss something?

BTW, there is a new list focsed on such issues, at 
http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Jeremiah Rogers

 This site is set so that there is a frame of https://www.bankone.com
 inside my https://slam.securescience.com/threats/mixed.html site. The
 imaginative part is that you may have to reverse the rolls to 
understand

 the impact of this (https://www.bankone.com with
 https://slam.securescience.com frame - done via cross-user attacks
 trivially).

Let me get this right: here we have a page which appears to be from
domain A, but in fact it has frame(s) which display domain B. This
allows a page to have the content from domain B but the outward
appearance is of domain A, including the SSL lock on the page which
indicates this page is safe to the user.

It looks like this allows
one to spoof domain A quite successfully, unless I'm missing
something.

Jeremiah


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Florian Weimer
* Lance James:

 And as stated above, reverse the effect and it would be the banks in 
 scenarios such as XSS.

In case of XSS or CSRF, you have lost anyway.  The web was not
designed as a presentation service for transaction processing,
especially if the transactions involve significant value.  If you use
the web for this purpose, it's always a tradeoff.

Maybe it's time to realize that all these web applications together
form a huge monoculture, and to move on and diversify again.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Feature or Flaw?

2005-07-05 Thread Lance James

Florian Weimer wrote:


* Lance James:

 

And as stated above, reverse the effect and it would be the banks in 
scenarios such as XSS.
   



In case of XSS or CSRF, you have lost anyway.  The web was not
designed as a presentation service for transaction processing,
especially if the transactions involve significant value.  If you use
the web for this purpose, it's always a tradeoff.

Maybe it's time to realize that all these web applications together
form a huge monoculture, and to move on and diversify again.
 



Thank you - that was my point essentially. SSL is and always will be for 
web a broken concept.




 




--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]