funsec mailing list archives
Re: link from http page to https page
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Sun, 27 Jul 2008 13:04:40 -0400
...if I get redirected from http://www.citicards.com to
https://www.citicards.com.rbn.ru,... Of course the only way that's going to happen is with cross-site scripting or some such bug, and that bug is the problem. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com From: Tomas L. Byrnes [mailto:tomb () byrneit net] Sent: Sunday, July 27, 2008 12:53 PM To: Larry Seltzer; funsec () linuxbox org Subject: RE: [funsec] link from http page to https page I think it's a matter more of how users being used to that could be easily socially engineered on top of a website defacement, as opposed to any technological security risk. Assuming the site redirected to is, in fact, what it claims to be, then the user remains safe. The issue is: if I get redirected from http://www.citicards.com to https://www.citicards.com.rbn.ru, and don't notice it, I'm hosed. If I'm used to seeing the domain change, then I am less likely to notice it. There's probably also the underlying assumption in the hosting company that the "non-secure" domain doesn't need to be as well protected, thereby making a defacement changing the redirect more likely. ________________________________ From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Sunday, July 27, 2008 8:45 AM To: funsec () linuxbox org Subject: [funsec] link from http page to https page I've been reading a paper (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on vulnerabilities in financial web sites presented last week at Carnegie Mellon and I'm curious about a statement in it: "Under no circumstance should an insecure page make a transition to a security-sensitive website hosted on another domain, regardless of whether the destination site uses SSL." So for example, a link from http://www.bigbankhomepage.com to https://www.bigbanksecurebanking.com/ is inherently insecure. But a link from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com isn't? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page charlie derr (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)