funsec mailing list archives
Re: link from http page to https page
From: security curmudgeon <jericho () attrition org>
Date: Sun, 27 Jul 2008 18:26:15 +0000 (UTC)
: I think it's a matter more of how users being used to that could be : easily socially engineered on top of a website defacement, as opposed to : any technological security risk. Assuming the site redirected to is, in : fact, what it claims to be, then the user remains safe. The issue is: if : I get redirected from http://www.citicards.com to : https://www.citicards.com.rbn.ru, and don't notice it, I'm hosed. If I'm : used to seeing the domain change, then I am less likely to notice it. : There's probably also the underlying assumption in the hosting company : that the "non-secure" domain doesn't need to be as well protected, : thereby making a defacement changing the redirect more likely. Even so, labeling this a vulnerability or 'design flaw' in a banking web site seems to be inappropriate given the typical uses and general acceptance of those words. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page charlie derr (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)