I think it's a matter more of how users being used to that could be
easily socially engineered on top of a website defacement, as opposed to
any technological security risk. Assuming the site redirected to is, in
fact, what it claims to be, then the user remains safe. The issue is: if
I get redirected from http://www.citicards.com to
https://www.citicards.com.rbn.ru, and don't notice it, I'm hosed. If I'm
used to seeing the domain change, then I am less likely to notice it.
There's probably also the underlying assumption in the hosting company
that the "non-secure" domain doesn't need to be as well protected,
thereby making a defacement changing the redirect more likely.
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Seltzer
Sent: Sunday, July 27, 2008 8:45 AM
To: funsec@linuxbox.org
Subject: [funsec] link from http page to https page
I've been reading a paper
(http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on
vulnerabilities in financial web sites presented last week at Carnegie
Mellon and I'm curious about a statement in it: "Under no circumstance
should an insecure page make a transition to a security-sensitive
website hosted on another domain, regardless of whether the destination
site uses SSL."
So for example, a link from http://www.bigbankhomepage.com to
https://www.bigbanksecurebanking.com/ is inherently insecure. But a link
from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com
isn't?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ <http://security.eweek.com/>
http://blogs.pcmag.com/securitywatch/
<http://blogs.pcmag.com/securitywatch/>
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
