Re: link from http page to https page

["Tomas L. Byrnes" <tomb () byrneit net>]

> From a basic UI standpoint, it's a design flaw, as things are going on
that are not clear.

It can be debated whether it is a security risk or security design
issue, but it is very much in the category of "Mystery Meat Navigation".

You never know what you're going to get.

 

> -----Original Message-----
> From: security curmudgeon [mailto:jericho () attrition org] 
> Sent: Sunday, July 27, 2008 11:26 AM
> To: Tomas L. Byrnes
> Cc: funsec () linuxbox org
> Subject: Re: [funsec] link from http page to https page
>
>
> : I think it's a matter more of how users being used to that could be
> : easily socially engineered on top of a website defacement, 
> as opposed to
> : any technological security risk. Assuming the site 
> redirected to is, in
> : fact, what it claims to be, then the user remains safe. The 
> issue is: if
> : I get redirected from http://www.citicards.com to
> : https://www.citicards.com.rbn.ru, and don't notice it, I'm 
> hosed. If I'm
> : used to seeing the domain change, then I am less likely to 
> notice it.
> :  There's probably also the underlying assumption in the 
> hosting company
> : that the "non-secure" domain doesn't need to be as well protected,
> : thereby making a defacement changing the redirect more likely.
>
> Even so, labeling this a vulnerability or 'design flaw' in a 
> banking web site seems to be inappropriate given the typical 
> uses and general acceptance of those words.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.