Larry Seltzer wrote: > I’ve been reading a paper > (http://cups.cs.cmu.edu/soups/2008/proceedings/p117Falk.pdf) on > vulnerabilities in financial web sites presented last week at Carnegie > Mellon and I’m curious about a statement in it: “/Under no circumstance > should an insecure page make a transition to a security-sensitive > website hosted on another domain, regardless of whether the destination > site uses SSL./” >
Hello, I haven't gone back to look at context, but perhaps the word "transition" is used to specifically refer to an in-page redirection (using a Header at the http: address (or from a form submitted from an http: page) to redirect immediately (and mostly silently for the general public) to an https: address). > > > So for example, a link from http://www.bigbankhomepage.com to > https://www.bigbanksecurebanking.com/ is inherently insecure. But a link > from http://www.bigbankhomepage.com to https://www.bigbankhomepage.com > isn’t? If I were to enter http://mybank.com in my browser window and be silently redirected to https://mybank.com when I hit enter, I wouldn't mind, in fact, I think I'd be impressed. If however I were instead redirected (silently) to https://any-other.domain I'd definitely begin to wonder about the security and thought behind their infrastructure. Again, I haven't gone back to look at the paper you cite, but way the sentence you quote is constructed (i.e. "make a transition") leads me to believe that the author may be talking about behind the scenes processing after clicking on a URL or button (and not the relationship of the links listed on the page to the domain the page visitor is seeing (as you seem to be assuming)). but I may have it completely wrong, ~c _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.