security
Martin Atkins
mart at degeneration.co.uk
Thu Oct 26 17:01:33 UTC 2006
James A. Donald wrote:
> --
> James A. Donald wrote:
> >> So on reflection, we do have to support multiple
> >> levels of security - but this creates problems, which
> >> must be solved.
> >>
> >> It is intolerable if this endangers the guy whose
> >> identity is
> >> https://www.bankamerica.com/finance/transactions/vp.htm
>
> Martin Atkins wrote:
> > I can't think of any situation where one person's
> > unsecured identifier could compromise any other
> > identifier, secured or otherwise.
>
> Assume that what is typed in is
> www.bankamerica.com/finance/transactions/vp.htm
>
> Because DNS has poisoned, https does not work.
>
> Relying party tries
> http://www.bankamerica.com/finance/transactions/vp.htm
>
> Gets bogus information.
>
> As a result, the guy from bankamerica is logged in on an
> account controlled by the adversary.
>
Hmm. When was it decided that a scheme-less URL should start of as HTTPS
and then be tried as HTTP. I was part of the camp arguing adamantly
against that when it was being discussed, but I don't recall a
conclusion to the debate.
This attack was one of the very reasons I was against this spec-mandated
guesswork.
More information about the general
mailing list