| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Jun 2010 15:41:27 -0700 From: Chris Evans <scarybeasts@...il.com> To: Dan Kaminsky <dan@...para.com> Cc: Lavakumar Kuppan <lava@...labs.org>, full-disclosure@...ts.grok.org.uk Subject: Re: Chrome and Safari users open to stealth HTML5 Application Cache attack On Mon, Jun 28, 2010 at 1:30 PM, Dan Kaminsky <dan@...para.com> wrote: > >> In summary, any http hit on an insecure network is dangerous on all >> browsers. >> (FWIW, Chromium resolves this for me. When I type mail<enter> into the >> omnibar, it auto-completes to https://mail.google.com/) >> > > Actually, I see this as a legitimate gap. HTTP links don't cache-mix with > HTTPS links, and cookies can have server-side integrity checking to prevent > HTTP pollution (lets not talk about the secure tag for cookies), but if it > is indeed the case that there is no way to have a HTTPS-exclusive > Application Cache, then that is a feature killing bug that's been > legitimately called out. Eh? Lava's attack poisons a plain HTTP resource. As per "regular" caching, Application Cache is supposed to separate the effects of HTTP and HTTPS responses. Cheers Chris > > --Dan > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists