Re: link from http page to https page

[security curmudgeon <jericho () attrition org>]

Hi Larry,

: (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on 
: vulnerabilities in financial web sites presented last week at Carnegie 
: Mellon and I'm curious about a statement in it: "Under no circumstance 
: should an insecure page make a transition to a security-sensitive 
: website hosted on another domain, regardless of whether the destination 
: site uses SSL."

I pointed out the same thing in my debunking of this paper.

http://attrition.org/security/rant/prakash_et_al-01.html
Brief analysis of "Analyzing Websites for User-Visible Security Design Flaws"
Fri, 25 Jul 2008 15:05:25 +0000 (UTC)
Jericho (Security Curmudgeon)

Atul Prakash replied to me when I mailed this to him, but did not choose 
to clarify anything nor offer rebuttal to my article. Neither of the 
students (Falk, Borders) replied at all. Instead of defending the paper, 
Prakash was more interested in telling me to "watch the presentation" in 
so many words and to find them on http://bankwebsecurity.blogspot.com in a 
day or two.

- jericho
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.