To secure browser which is very fragile, the approach of HTTPS Only 3.1 is
1. Only HTTPS URLs(no other protocols)
2. Whitelist of domains(anything outside of whitelist is blocked)
Now, let's look at threats:
1. Man in the middle - it's fixed.
2. Phishing always requires the
When we browse the web, top threats are:
1. Remote code execution - everything is lost
2. Man in the middle - sniffing, and tampering
3. Phishing - simple, old, and still quite useful
4. Cross site scripting - data of the vulnerable domain is lost
5. CSRF - unauthorized action
So, what if the
(@moderators The original post was too brief. This one has details.)
This tool completely locks browser - just HTTPS, nothing else. This
tool is extremely simple - less than 100 lines of code(Python and
Firefox Add-on Firesheep Brings Hacking to the Masses
If you are a network administrator, keeping browser updated is the first thing
to do for security. Chrome is a very good browser, but it's a little bit
complicated to answer this simple question: what is the version of the latest
stable Chrome? And for people in places such as
It's public now:
They did reproduce
I can reproduce this locally
They say it's DoS
seems like any renderer denial-of-service
(The browser does not crash!)
They say it's not security issue
remove security flags from
The click to verify thing is completely broken...
Anyone can be BBB Accredited Business etc.
You can make whitehouse.gov display We love Islamic State :-)
No user interaction on the fake page.
We like it. We read it.
On 2015/5/31 23:09, Michal Zalewski wrote:
On Thu, May 28, 2015 at 10:47 PM, David Leo firstname.lastname@example.org wrote:
Proof of concept:
Proof of concept:
It works on fully patched versions of iOS and OS X.
How it works:
Just keep trying to load the web page of target domain.
How We Got It:
Safari changes address bar to new URL,
BEFORE new content is loaded.
Spartan - vulnerable (Windows 10)
Thanks to Zaakiy Siddiqui!
Many asked for it.
It's Universal XSS, as we tested:
Analyst | Security Operations
Centre | Royal Bank of Canada
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of
Sent: 2015, February, 04 6:46 PM
To: David Leo; Joey Fowler
Cc: email@example.com; b
Deusen just published code and description here:
which demonstrates the serious security issue.
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.
How To Use
Mail list logo