funsec mailing list archives

Re: link from http page to https page

From: charlie derr <cderr () simons-rock edu>
Date: Sun, 27 Jul 2008 12:58:13 -0400

Larry Seltzer wrote:

I’ve been reading a paper 
(http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on 
vulnerabilities in financial web sites presented last week at Carnegie 
Mellon and I’m curious about a statement in it: “/Under no circumstance 
should an insecure page make a transition to a security-sensitive 
website hosted on another domain, regardless of whether the destination 
site uses SSL./”


Hello,

I haven't gone back to look at context, but perhaps the word "transition" is used to specifically refer to an in-page 
redirection 
(using a Header at the http: address (or from a form submitted from an http: page) to redirect immediately (and mostly 
silently 
for the general public) to an https:  address).

 

So for example, a link from http://www.bigbankhomepage.com to 
https://www.bigbanksecurebanking.com/ is inherently insecure. But a link 
from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com 
isn’t?



If I were to enter http://mybank.com in my browser window and be silently redirected to https://mybank.com when I hit 
enter, I 
wouldn't mind, in fact, I think I'd be impressed.

If however I were instead redirected (silently) to https://any-other.domain I'd definitely begin to wonder about the 
security and 
thought behind their infrastructure.

Again, I haven't gone back to look at the paper you cite, but way the sentence you quote is constructed (i.e. "make a 
transition") 
leads me to believe that the author may be talking about behind the scenes processing after clicking on a URL or button 
(and not 
the relationship of the links listed on the page to the domain the page visitor is seeing (as you seem to be assuming)).

        but I may have it completely wrong,
                ~c

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
  - Re: link from http page to https page Larry Seltzer (Jul 27)
  - Re: link from http page to https page security curmudgeon (Jul 27)
    - Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page charlie derr (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)