Re: sigHTTP comments?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>He changed the login form in such a way that he was sent the one time 
>transaction code of the money transfer and displayed an successful 
>result by himself from the hijacked web server. The SSL certificate was 
>of no use in this case, it even kept the user in wrong confidence.
>
>The SigHTTP would have been a solution for this case. 

I disbelieve.  All he would've had to do would be to modify the login
form handler instead of the form itself.  As you've described it,
SigHTTP does nothing for dynamic content.

>Changing already 
>signed HTML content wold have deleted or modified the signature and a 
>SigHTTP cpapable browser or third party tool would have been given the 
>chance to alert the user.

So how does the browser distinguish between a page whose signature was
deleted by an attacker and one whose maintainer has stopped using
SigHTTP?

/========================================================\
|John Stracke                    |Principal Engineer     |
|jstracke@incentivesystems.com   |Incentive Systems, Inc.|
|http://www.incentivesystems.com |My opinions are my own.|
|========================================================|
|This space intentionally left blank.                    |
\========================================================/


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]