Home page logo
/

basics logo Security Basics mailing list archives

Re: HTTPS vs encrypted frames in HTTP
From: Eloi Granado <eloi.granado () millorsoft net>
Date: Thu, 18 Dec 2003 10:22:48 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 17 December 2003 20:12, Sasha wrote:
Bottom line:  Should I be worried about this?

If you concerned with network interception -- NO.


The question is: can you always *easily* check you are 
accessing the encrypted frame? No. You must get to the
frame properties dialog to check it. Everytime.

This is a BAD user interface design. Fake the outer 
frameset (as it travels unencrypted/unsigned) and you 
can fake the inner frame without the user noticing it.
But, if the user sees the https: in the location bar
he knows the frameset is reliable, and thus if 
everything else is https too everything is reliable.

So yes, it is a bad design, and of an "insecure" nature.



- -- 
- -----------------------------------------------------
Eloi Granado  (eloi () millorsoft es)
PGP Key: http://eloi.millorsoft.es/pgp-publickey.asc
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/4XHoewfs1FO2wi0RAsWWAJsGBFb7W8vjiIkg/DYHCcAu7sZN8gCgvp8j
mvLZy+8EHpUpG2V6iEGtIuM=
=4d4R
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault