Feature or Flaw?
Amir Herzberg
herzbea at macs.biu.ac.il
Wed Jul 6 03:34:11 EDT 2005
Lance James wrote:
> Amir Herzberg wrote:
>> Lance James wrote:
>> ...
>> > https://slam.securescience.com/threats/mixed.html
>>
>>>
>>> This site is set so that there is a frame of https://www.bankone.com
>>> inside my https://slam.securescience.com/threats/mixed.html site. The
>>> imaginative part is that you may have to reverse the rolls to
>>> understand the impact of this (https://www.bankone.com with
>>> https://slam.securescience.com frame -> done via cross-user attacks
>>
>> Ok, I can do the `mental exercise` and understand the attack. But I'm
>> not sure what is new here. Yes, if a web-site allows such XSS, then
>
> It's not the "new" issue - it's the concern that frames with other SSL
> protect information is not being indicated to the user, thus you can
> encrypt data with another valid cert within a frame(s) and the user will
> only know of the main cert from the domain that is indicated by the
> address bar.
Well, but I don't see that this has much to do with SSL, really. The
problem is that the attacker is able to cause the server to send a page
controlled (partially or fully) by the attacker. This should not happen.
SSL is only supposed to ensure that the client got the page as the
server sent it - and this does happen. Of course, this cannot protect
against an infinite list of possible errors and vulnerabilities of the
server:
-- XSS attacks
-- Defacement
-- an employee intentionally putting a script to do <something>
...
I think that your complaint/observation is that browsers normally warn
when displaying a page which is partially protected and partially not,
but may not complain when displaying a page protected by cert X, but
including frame protected by cert Y. Well, this can be fixed, but I'm
not sure this is really important. The problem is really the fact that
the page was modified in the first place. Instead of including a
protected (or unprotected) frame with the rogue code, the attack could
have sent the rogue code directly from the compromised site.
--
Best regards,
Amir Herzberg
Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI:
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages:
http://AmirHerzberg.com/shame
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list