funsec mailing list archives
Re: link from http page to https page
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Sun, 27 Jul 2008 12:12:39 -0700
From a basic UI standpoint, it's a design flaw, as things are going on
that are not clear. It can be debated whether it is a security risk or security design issue, but it is very much in the category of "Mystery Meat Navigation". You never know what you're going to get.
-----Original Message----- From: security curmudgeon [mailto:jericho () attrition org] Sent: Sunday, July 27, 2008 11:26 AM To: Tomas L. Byrnes Cc: funsec () linuxbox org Subject: Re: [funsec] link from http page to https page : I think it's a matter more of how users being used to that could be : easily socially engineered on top of a website defacement, as opposed to : any technological security risk. Assuming the site redirected to is, in : fact, what it claims to be, then the user remains safe. The issue is: if : I get redirected from http://www.citicards.com to : https://www.citicards.com.rbn.ru, and don't notice it, I'm hosed. If I'm : used to seeing the domain change, then I am less likely to notice it. : There's probably also the underlying assumption in the hosting company : that the "non-secure" domain doesn't need to be as well protected, : thereby making a defacement changing the redirect more likely. Even so, labeling this a vulnerability or 'design flaw' in a banking web site seems to be inappropriate given the typical uses and general acceptance of those words.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page Larry Seltzer (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)
- Re: link from http page to https page charlie derr (Jul 27)
- Re: link from http page to https page security curmudgeon (Jul 27)
- Re: link from http page to https page Tomas L. Byrnes (Jul 27)