Feature or Flaw?
Lance James
lancej at securescience.net
Tue Jul 5 11:43:51 EDT 2005
Florian Weimer wrote:
>* Lance James:
>
>
>
>>>Couldn't you just copy (or proxy all content) and get the same effect
>>>without using frames at all?
>>>
>>>
>
>
>
>>How would you go about doing that and still get the SSL Lock to remain
>>as the banks? Can you give an example?
>>
>>
>
>In both cases, you have the SSL lock on your own certificate.
>
>
And as stated above, reverse the effect and it would be the banks in
scenarios such as XSS. The Banks SSL cert is actually handling all the
data, my concern is that the user is not aware of this and only trusts
the domain that's indicated in the address bar's cert.
>At least my browser does not provide a user interface to access the
>certificates of the servers from which embedded objects (or frames)
>were downloaded.
>
>
>
>
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list