WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: OT: Inserting Ads without breaking the SSL

From: 7269 () sagedrive com
Date: 27 Apr 2006 06:48:57 -0000
I tried it in Sunnyvale.  Looks to me like Metrofi free service breaks the SSL.  The "lock" icon on the browser is not 
there, and the URL the browser shows has been mangled and has no "https" in it.  My guess is they run a proxy in their 
network that acts as the SSL endpoint, and the connection between user and proxy is unsecured HTTP.

If I'm right, this is a major nastiness to spring on unsuspecting users.  Sites that the user normally uses in SSL mode 
-- email, banking, etc. -- are exposed both over the air and on Metrofi's network.  I hope I'm wrong.

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: