Re: how can you verify that the site you get is not a fake?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
Subject: Re: how can you verify that the site you get is not a fake?
From: Felipe Alfaro Solana <felipe.alfaro@xxxxxxxxx>
Date: Mon, 6 Jun 2005 16:00:09 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=sxT7GGv52WUgRlOcylRnk5ZKJ2cAEpZvV1wZmVWM17wPQCF/uQkmfmLCGN08yvcMS+aOA7awLZ+sQiTwKhqSOKiNq6ck8cKhfLedm2CDdbZ6RekttC4nooqHIsaZb/E/Ks2U/6fvSVkk4zPiDFH7L3O2L7skEz8gzLZ+Y5AbTzo=
In-reply-to: <[email protected]>
List-archive: <https://www.redhat.com/archives/fedora-list>
List-help: <mailto:[email protected]?subject=help>
List-id: For users of Fedora Core releases <fedora-list.redhat.com>
List-post: <mailto:[email protected]>
List-subscribe: <http://www.redhat.com/mailman/listinfo/fedora-list>, <mailto:[email protected]?subject=subscribe>
List-unsubscribe: <http://www.redhat.com/mailman/listinfo/fedora-list>, <mailto:[email protected]?subject=unsubscribe>
References: <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]>
Reply-to: Felipe Alfaro Solana <felipe.alfaro@xxxxxxxxx>, For users of Fedora Core releases <fedora-list@xxxxxxxxxx>

On 6/6/05, Matthew Miller <mattdm@xxxxxxxxxx> wrote:
> On Mon, Jun 06, 2005 at 03:38:58PM +0200, Felipe Alfaro Solana wrote:
> > Nah! That's not enough... many web browsers are vulnerable to
> > cross-site scripting code. I've seen some real proof-of-concept web
> > sites that, by using a main frame protected via HTTP/S and a valid SSL
> > certificate, where vulnerable to cross-site scripting-like attacks
> > that were able to insert fake pages into a subframe without the web
> > browser even alerting about it.
> 
> If there's a security vulnerability in your applications, all bets are off.

Of course, but even Firefox and Safari were vulnerable[1] (I did check
it by myself) to this proof-of-concept phising attack. Thus, there
does exist no perfect security as it depends on many layers of
implementation and dependency. SSL is no exception.

[1] Link to new forms of phising attack, in Spanish:
http://www.hispasec.com/unaaldia/2406

References:
- Re: how can you verify that the site you get is not a fake?
  - From: Felipe Alfaro Solana
- RE: how can you verify that the site you get is not a fake?
  - From: bruce
- Re: how can you verify that the site you get is not a fake?
  - From: Matthew Miller
- Re: how can you verify that the site you get is not a fake?
  - From: Felipe Alfaro Solana
- Re: how can you verify that the site you get is not a fake?
  - From: Matthew Miller

Prev by Date: Re: create a restricted user
Next by Date: Anybody got experience with libvisual?
Previous by thread: Re: how can you verify that the site you get is not a fake?
Next by thread: 98% Sure
Index(es):
- Date
- Thread

[Index of Archives] [Current Fedora Users] [Fedora Desktop] [Fedora SELinux] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools] [Fedora Docs]