| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Jun 2005 15:38:18 -0700 From: Secure Science Corporation Bugtraq <bugtraq@...urescience.net> To: bugtraq@...urityfocus.com Subject: Phishing - feature or flaw Hi, Regarding certain vulnerabilities that are being discovered such as http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test Are these really features, or are they flaws now because of the phishing threat vector. Originally javascript/DHTML/DOM is pretty powerful and can do a lot of nasty stuff if someone were inclined. But phishing has caused us to take a look at the once dubbed features of DHTML, and possibly put responsibility onto the browser vendors for fixing these now dubbed "flaws". For example, is this a flaw - https://slam.securescience.com/threats/mixed.html (some mozilla browsers don't like Thawte yet so you will get a warning). This is a standard frame with the URL domain as https://slam.securescience.com, but the body is https://www.bankone.com - take a look at the lock icon - it will only verify the url domain - is that a browser issue, a CA issue, or a feature? As we all have seen, one can use DHTML to create a popup and replace a mimicked address bar if one were so incline (dirty rendition at http://ip.securescience.net/exploits/ (popup blockers off and it was designed for IE). Feature, or flaw? -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://www.securescience.net/amazon/ Find out how malware is affecting your company: Get a DIA account today! https://slam.securescience.com/signup.cgi - it's free!
Powered by blists - more mailing lists