lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <42BC8B5A.3030901@securescience.net>
Date: Fri, 24 Jun 2005 15:38:18 -0700
From: Secure Science Corporation Bugtraq <bugtraq@...urescience.net>
To: bugtraq@...urityfocus.com
Subject: Phishing - feature or flaw


Hi,

Regarding certain vulnerabilities that are being discovered such as 
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test

Are these really features, or are they flaws now because of the phishing 
threat vector. Originally javascript/DHTML/DOM is pretty powerful and 
can do a lot of nasty stuff if someone were inclined. But phishing has 
caused us to take a look at the once dubbed features of DHTML, and 
possibly put responsibility onto the browser vendors for fixing these 
now dubbed "flaws".

For example, is this a flaw - 
https://slam.securescience.com/threats/mixed.html (some mozilla browsers 
don't like Thawte yet so you will get a warning). This is a standard 
frame with the URL domain as https://slam.securescience.com, but the 
body is https://www.bankone.com - take a look at the lock icon - it will 
only verify the url domain - is that a browser issue, a CA issue, or a 
feature?

As we all have seen, one can use DHTML to create a popup and replace a 
mimicked address bar if one were so incline (dirty rendition at 
http://ip.securescience.net/exploits/ (popup blockers off and it was 
designed for IE). Feature, or flaw?


-- 
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ