>From a basic UI standpoint, it's a design flaw, as things are going on that are not clear.
It can be debated whether it is a security risk or security design issue, but it is very much in the category of "Mystery Meat Navigation". You never know what you're going to get. > -----Original Message----- > From: security curmudgeon [mailto:[EMAIL PROTECTED] > Sent: Sunday, July 27, 2008 11:26 AM > To: Tomas L. Byrnes > Cc: funsec@linuxbox.org > Subject: Re: [funsec] link from http page to https page > > > : I think it's a matter more of how users being used to that could be > : easily socially engineered on top of a website defacement, > as opposed to > : any technological security risk. Assuming the site > redirected to is, in > : fact, what it claims to be, then the user remains safe. The > issue is: if > : I get redirected from http://www.citicards.com to > : https://www.citicards.com.rbn.ru, and don't notice it, I'm > hosed. If I'm > : used to seeing the domain change, then I am less likely to > notice it. > : There's probably also the underlying assumption in the > hosting company > : that the "non-secure" domain doesn't need to be as well protected, > : thereby making a defacement changing the redirect more likely. > > Even so, labeling this a vulnerability or 'design flaw' in a > banking web site seems to be inappropriate given the typical > uses and general acceptance of those words. > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
