[Fwd: BugTraq - how to coverup the security]
Ian Grigg
iang at systemics.com
Mon Jul 14 20:29:07 EDT 2003
Over on BugTraq, there is a new security flaw being
demonstrated that allows a page to cover up various
of the security components for an IE browser.
I can't see them on my browser, but what I saw on an
IE equipped browser was good enough to fool some people.
It's worth checking out! It really did open eyes
over here! It's not actually clear to me that any
of the ideas we've discussed here - caching of self-
signed certs, enhanced security displays, etc - will
overcome this.
Just yet more evidence that that the attacker is not
playing by the rules laid down in the secure browser
security model :-/
iang
---------- Forwarded Message ----------
Date: Monday, July 14, 2003 18:20 -0400
From: jrw at e-gold.com
To: e-gold Discussion <e-gold-list at talk.e-gold.com>
Subject: [e-gold-list] A Caution for Windows Internet Explorer 5.5+ users
Microsoft Windows users that use Internet Explorer versions
5.5 and up (including 6.0) will want to pay special attention
to the information contained in these recent posts on security
related mailing lists:
http://www.securityfocus.com/archive/1/328947/2003-07-11/2003-07-17/0
http://www.securityfocus.com/archive/1/328978/2003-07-11/2003-07-17/0
http://www.securityfocus.com/archive/1/329014/2003-07-11/2003-07-17/0
of particular interest to SSL secure site (such as e-gold.com) users
is the capability to overwrite the location bar and padlock (with
a borderless popup window).
the notice gives a workaround of "Disable Active Scripting", which
you should consider. another option would be to choose an alternative
web browser, such as Mozilla available at www.mozilla.org.
jay w.
jrw at e-gold.com
---
You are currently subscribed to e-gold-list as:
To unsubscribe send a blank email to l
Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold
account(s) via the web and shopping cart interfaces to help thwart
keystroke loggers and common viruses.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list