Feature or Flaw?
Jeremiah Rogers
jeremiah at kingprimate.com
Tue Jul 5 12:35:42 EDT 2005
> This site is set so that there is a frame of https://www.bankone.com
> inside my https://slam.securescience.com/threats/mixed.html site. The
> imaginative part is that you may have to reverse the rolls to
understand
> the impact of this (https://www.bankone.com with
> https://slam.securescience.com frame -> done via cross-user attacks
> trivially).
Let me get this right: here we have a page which appears to be from
domain A, but in fact it has frame(s) which display domain B. This
allows a page to have the content from domain B but the outward
appearance is of domain A, including the SSL lock on the page which
indicates "this page is safe" to the user.
It looks like this allows
one to spoof domain A quite successfully, unless I'm missing
something.
Jeremiah
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list