how can you verify that the site you get is not a fake?

Felipe Alfaro Solana felipe.alfaro at gmail.com
Mon Jun 6 14:00:09 UTC 2005


On 6/6/05, Matthew Miller <mattdm at mattdm.org> wrote:
> On Mon, Jun 06, 2005 at 03:38:58PM +0200, Felipe Alfaro Solana wrote:
> > Nah! That's not enough... many web browsers are vulnerable to
> > cross-site scripting code. I've seen some real proof-of-concept web
> > sites that, by using a main frame protected via HTTP/S and a valid SSL
> > certificate, where vulnerable to cross-site scripting-like attacks
> > that were able to insert fake pages into a subframe without the web
> > browser even alerting about it.
> 
> If there's a security vulnerability in your applications, all bets are off.

Of course, but even Firefox and Safari were vulnerable[1] (I did check
it by myself) to this proof-of-concept phising attack. Thus, there
does exist no perfect security as it depends on many layers of
implementation and dependency. SSL is no exception.

[1] Link to new forms of phising attack, in Spanish:
http://www.hispasec.com/unaaldia/2406




More information about the fedora-list mailing list