once more, with feeling.
Arshad Noor
arshad.noor at strongauth.com
Mon Sep 8 15:39:41 EDT 2008
Paul Hoffman wrote:
>
> A less extreme solution would be to make the warning the user sees on a
> mixed-content page more insulting to the bank. "This page contains both
> encrypted and non-encrypted content and is inherently insecure. The
> owner of this web site has clearly made a very poor security decision in
> showing this page to you. It is likely that other pages on this site
> also have similarly poor security. Knowing this, do you wish to continue
> anyway?"
>
A more optimal solution is to have this vulnerability accepted by
the OWASP community as a "Top 10" security vulnerability; it will
have the appropriate intended effect since mitigation to the OWASP
defined vulnerabilities is required in PCI-DSS:
"6.5 Develop all web applications based on secure coding guidelines
such as the Open Web Application Security Project guidelines"
https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
http://www.owasp.org/index.php/Top_10_2007
Arshad Noor
StrongAuth, Inc.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list