funsec mailing list archives
Re: link from http page to https page
From: charlie derr <cderr () simons-rock edu>
Date: Sun, 27 Jul 2008 12:58:13 -0400
Larry Seltzer wrote:
I’ve been reading a paper (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on vulnerabilities in financial web sites presented last week at Carnegie Mellon and I’m curious about a statement in it: “/Under no circumstance should an insecure page make a transition to a security-sensitive website hosted on another domain, regardless of whether the destination site uses SSL./”
Hello, I haven't gone back to look at context, but perhaps the word "transition" is used to specifically refer to an in-page redirection (using a Header at the http: address (or from a form submitted from an http: page) to redirect immediately (and mostly silently for the general public) to an https: address).
So for example, a link from http://www.bigbankhomepage.com to https://www.bigbanksecurebanking.com/ is inherently insecure. But a link from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com isn’t?
If I were to enter http://mybank.com in my browser window and be silently redirected to https://mybank.com when I hit enter, I wouldn't mind, in fact, I think I'd be impressed. If however I were instead redirected (silently) to https://any-other.domain I'd definitely begin to wonder about the security and thought behind their infrastructure. Again, I haven't gone back to look at the paper you cite, but way the sentence you quote is constructed (i.e. "make a transition") leads me to believe that the author may be talking about behind the scenes processing after clicking on a URL or button (and not the relationship of the links listed on the page to the domain the page visitor is seeing (as you seem to be assuming)). but I may have it completely wrong, ~c _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page charlie derr (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)