[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] [certid] review of draft-saintandre-tls-server-id-check-09
From:       Martin Rex <mrex () sap ! com>
Date:       2010-09-23 18:15:39
Message-ID: 201009231815.o8NIFdDi023872 () fs4113 ! wdf ! sap ! corp
[Download RAW message or body]

Marsh Ray wrote:
> 
> Martin Rex wrote:
> >
> > Thinking about it, I feel slightly uneasy about some redirects, such as
> > https://gmail.com  ->  301 ->   https://mail.google.com/mail
> >
> > I think these should never go without a warning.
> 
> That bugs me too. Lots of sites do it though, usually with Javascript.
> 
> > If my banks online-banking portal (https://www.<mybank>.de)
> > would suddently redirect me to https://www.<mybank>.com before
> > asking me for credentials and transaction authorization codes,
> > that would be a real security problem, because www.<mybank>.com
> > is not leased by my bank (it is apparently not currently leased to anyone)
> > 
> > A hacker that breaks into a web-site in order to do trap
> > victims
> 
> The site is now 100% (to use the technical term) "pwned".
> 
> It's not possible for a network security protocol to survive the 
> compromise of one of the endpoints. We can no longer reason about Alice 
> and Bob if Bob is allowed to be under the hypnotic control of Eve.

True.   I used the wrong words in what I was trying to say.

There is definitely little that you can do about a full compromise of
the real server.

But blindly trusting browsers may easily turn seemingly small security
vulnerability (every XSS, CSRF, content upload), that enables diverting
a victim to the attackers own server seamlessly, close to equivalent to
a full compromise of the real server for the purpose of capturing
sensible or confidential information from the victim.

-Martin

[prev in list] [next in list] [prev in thread] [next in thread]