Hi John,
Am Freitag den, 21. Juni 2002, um 18:31, schrieb John Stracke:
I disbelieve. All he would've had to do would be to modify the login
form handler instead of the form itself. As you've described it,
SigHTTP does nothing for dynamic content.
I told the case too short. In real it was
Hi harald,
At 22:20 20.06.02 -0400, you wrote:
you might want to check out RFC 2660 - The Secure HyperText Transfer
Protocol; this is closer to your thinking than the presently popular HTTP
over TLS.
I think our sigHTTP idea is different in at least these 3 points:
1) the signature is
1) the signature is computed over either the entire HTML or only the
static
parts with strict conditions about the unsigned dynamic parts
[...]
3) nearly nothing has to be changed on webserver or browser side to
access
the content, the rfc 2660 seems to make much more trouble in this
Hi John,
Am Freitag den, 21. Juni 2002, um 15:32, schrieb John Stracke:
1) the signature is computed over either the entire HTML or only the
static
parts with strict conditions about the unsigned dynamic parts
[...]
3) nearly nothing has to be changed on webserver or browser side to
And at least I think you are too pessimistic by the small number of
interested people. I have the impression here in germany are still lots
of people concerned and frightend everytime some tv magazin reports
online banking bugs here and security frauds there. If everyone is
complaining how
Hi John,
Am Freitag den, 21. Juni 2002, um 17:00, schrieb John Stracke:
And at least I think you are too pessimistic by the small number of
interested people. I have the impression here in germany are still lots
of people concerned and frightend everytime some tv magazin reports
online
Kai Kretschmann [EMAIL PROTECTED] writes:
Did anyone read the announcement of the internet draft about sighttp
last may?
Any ideas, critics, comments are welcome. I did put a copy of the
document to the website www.sighttp.org for further discussion.
The system you describe appears to have
He changed the login form in such a way that he was sent the one time
transaction code of the money transfer and displayed an successful
result by himself from the hijacked web server. The SSL certificate was
of no use in this case, it even kept the user in wrong confidence.
The SigHTTP would
you might want to check out RFC 2660 - The Secure HyperText Transfer
Protocol; this is closer to your thinking than the presently popular HTTP
over TLS.
the problem of ubiquitous deployment is Real Hard.
Harald
--On 19. juni 2002 18:38 +0200 Kai Kretschmann
[EMAIL