funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: link from http page to https page

From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sun, 27 Jul 2008 09:53:28 -0700
I think it's a matter more of how users being used to that could be
easily socially engineered on top of a website defacement, as opposed to
any technological security risk. Assuming the site redirected to is, in
fact, what it claims to be, then the user remains safe. The issue is: if
I get redirected from http://www.citicards.com to
https://www.citicards.com.rbn.ru, and don't notice it, I'm hosed. If I'm
used to seeing the domain change, then I am less likely to notice it.
 
There's probably also the underlying assumption in the hosting company
that the "non-secure" domain doesn't need to be as well protected,
thereby making a defacement changing the redirect more likely.
 
 


________________________________

        From: funsec-bounces () linuxbox org
[mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer
        Sent: Sunday, July 27, 2008 8:45 AM
        To: funsec () linuxbox org
        Subject: [funsec] link from http page to https page
        
        

        I've been reading a paper
(http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on
vulnerabilities in financial web sites presented last week at Carnegie
Mellon and I'm curious about a statement in it: "Under no circumstance
should an insecure page make a transition to a security-sensitive
website hosted on another domain, regardless of whether the destination
site uses SSL."

         

        So for example, a link from http://www.bigbankhomepage.com to
https://www.bigbanksecurebanking.com/ is inherently insecure. But a link
from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com
isn't?

         

        Larry Seltzer
        eWEEK.com Security Center Editor
        http://security.eweek.com/ <http://security.eweek.com/> 
        http://blogs.pcmag.com/securitywatch/
<http://blogs.pcmag.com/securitywatch/> 
        Contributing Editor, PC Magazine
        larry.seltzer () ziffdavisenterprise com
<mailto:larry.seltzer () ziffdavisenterprise com> 

         


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: