funsec mailing list archives
link from http page to https page
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Sun, 27 Jul 2008 11:44:34 -0400
I've been reading a paper (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on vulnerabilities in financial web sites presented last week at Carnegie Mellon and I'm curious about a statement in it: "Under no circumstance should an insecure page make a transition to a security-sensitive website hosted on another domain, regardless of whether the destination site uses SSL." So for example, a link from http://www.bigbankhomepage.com to https://www.bigbanksecurebanking.com/ is inherently insecure. But a link from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com isn't? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ <http://security.eweek.com/> http://blogs.pcmag.com/securitywatch/ <http://blogs.pcmag.com/securitywatch/> Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com <mailto:larry.seltzer () ziffdavisenterprise com>
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page charlie derr (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)