On Sat, Jan 23, 2016 at 8:25 AM, Mick <michaelkintz...@gmail.com> wrote: > On Tuesday 19 Jan 2016 15:59:25 Grant wrote: > >> > If a user certificate is lost of feared compromised, you revoke it with >> > your CA and upload the CRL to the server. >> > >> > However, this won't do away with XSS, or other similar attack vectors if >> > the users are not careful with their browsing habits. >> >> Can you give me an example? > > If your coder has another website page open in his/her browser which contains > for example XSS or CSRF code, then the webpage of your company's web app could > be potentially compromised by your user inadvertently executing state changing > commands on it. By providing a XSS payload the attacker could execute > commands to change username/passwd, change email address, etc. This is one > reason that Internet Banking providers always advise their users to log out > and then exit their browser when they have finished their online banking. >
The other obvious attack would be simply stealing your session cookies or SSL client certificate+key out of the browser's RAM, or off of disk. -- Rich
