SSL info

SSL info
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
SSL info UKuser 01-02-2007
---> Re: SSL info Sebastian Gotts...01-02-2007
|--> Re: SSL info Anne & Lynn Whe...01-02-2007
---> Re: SSL info Ertugrul Soeyle...01-02-2007
---> Re: SSL info Sebastian Gotts...01-02-2007
| `--> Re: SSL info Ertugrul Soeyle...01-05-2007
|--> Re: SSL info Anne & Lynn Whe...01-03-2007
`--> Re: SSL info Anne & Lynn Whe...01-03-2007
Posted by UKuser on January 2, 2007, 11:42 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Folks,

I'm going to be working with some SSL pages (php) and wondered if there
were any good design/development sites for security tips etc so I miss
out on making the "obvious" blunders - whatever they may be.

I've found: http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
which is very good and lists two possible problems. Here then is the
newbie question.

If a form is hosted on a HTTP (non secure) site and points to a HTTPS
in the action tag, does this mean that the page has already made the
SSL connection/handshake? Does the browser recognise the potential for
a HTTPS connection and therefore do the same as if it was a full SSL
page?

Secondly, why is mixed content so bad (any sites would be great)? I
appreciate various elements could be secure/unsecure but how would that
pose a risk?

Thanks

UkUsEr


Posted by Sebastian Gottschalk on January 2, 2007, 1:09 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
UKuser wrote:

> I'm going to be working with some SSL pages (php) and wondered if there
> were any good design/development sites for security tips etc so I miss
> out on making the "obvious" blunders - whatever they may be.

The obvious blunders are incompetent Root-CA s. You can easily recognize
them: If they're claiming to be Root-CA, then they're incompetent.

> I've found: http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
> which is very good and lists two possible problems. Here then is the
> newbie question.
>
> If a form is hosted on a HTTP (non secure) site and points to a HTTPS
> in the action tag, does this mean that the page has already made the
> SSL connection/handshake?

No.

> Does the browser recognise the potential for
> a HTTPS connection and therefore do the same as if it was a full SSL
> page?

Yes. However, this won't help if the attacker can modified the unsecure
form to transmit the content to somewhere else.

> Secondly, why is mixed content so bad (any sites would be great)? I
> appreciate various elements could be secure/unsecure but how would that
> pose a risk?

Simple: The nonsecure content can be modified by an attacker, and such a
modified content can also modify/overwrite/extend the secure content.

Trivial example: Overwrite an nonsecure CSS stylesheet with "body {
display:none; visible: no; content-before:<!-- put your phishing website
here -->}"

Posted by UKuser on January 3, 2007, 4:19 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Sebastian,

Thanks for the information. You're obviously assuming that an attacker
can get to the unsecured content and modify it. What would stop an
attacker accessing files on a secure area as well? If SSL just encrypts
the communication between the webserver and client, how are the SSL
files any more secure?

Thanks

A

Sebastian Gottschalk wrote:

> UKuser wrote:
>
> > I'm going to be working with some SSL pages (php) and wondered if there
> > were any good design/development sites for security tips etc so I miss
> > out on making the "obvious" blunders - whatever they may be.
>
> The obvious blunders are incompetent Root-CA s. You can easily recognize
> them: If they're claiming to be Root-CA, then they're incompetent.
>
> > I've found: http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
> > which is very good and lists two possible problems. Here then is the
> > newbie question.
> >
> > If a form is hosted on a HTTP (non secure) site and points to a HTTPS
> > in the action tag, does this mean that the page has already made the
> > SSL connection/handshake?
>
> No.
>
> > Does the browser recognise the potential for
> > a HTTPS connection and therefore do the same as if it was a full SSL
> > page?
>
> Yes. However, this won't help if the attacker can modified the unsecure
> form to transmit the content to somewhere else.
>
> > Secondly, why is mixed content so bad (any sites would be great)? I
> > appreciate various elements could be secure/unsecure but how would that
> > pose a risk?
>
> Simple: The nonsecure content can be modified by an attacker, and such a
> modified content can also modify/overwrite/extend the secure content.
>
> Trivial example: Overwrite an nonsecure CSS stylesheet with "body {
> display:none; visible: no; content-before:<!-- put your phishing website
> here -->}"


Posted by UKuser on January 3, 2007, 6:32 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Just want to thank everyone for their contributions. I thought
(incorrectly) this would appear under Sebastians reply.

A

UKuser wrote:

> Hi Sebastian,
>
> Thanks for the information. You're obviously assuming that an attacker
> can get to the unsecured content and modify it. What would stop an
> attacker accessing files on a secure area as well? If SSL just encrypts
> the communication between the webserver and client, how are the SSL
> files any more secure?
>
> Thanks
>
> A
>
> Sebastian Gottschalk wrote:
>
> > UKuser wrote:
> >
> > > I'm going to be working with some SSL pages (php) and wondered if there
> > > were any good design/development sites for security tips etc so I miss
> > > out on making the "obvious" blunders - whatever they may be.
> >
> > The obvious blunders are incompetent Root-CA s. You can easily recognize
> > them: If they're claiming to be Root-CA, then they're incompetent.
> >
> > > I've found: http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx
> > > which is very good and lists two possible problems. Here then is the
> > > newbie question.
> > >
> > > If a form is hosted on a HTTP (non secure) site and points to a HTTPS
> > > in the action tag, does this mean that the page has already made the
> > > SSL connection/handshake?
> >
> > No.
> >
> > > Does the browser recognise the potential for
> > > a HTTPS connection and therefore do the same as if it was a full SSL
> > > page?
> >
> > Yes. However, this won't help if the attacker can modified the unsecure
> > form to transmit the content to somewhere else.
> >
> > > Secondly, why is mixed content so bad (any sites would be great)? I
> > > appreciate various elements could be secure/unsecure but how would that
> > > pose a risk?
> >
> > Simple: The nonsecure content can be modified by an attacker, and such a
> > modified content can also modify/overwrite/extend the secure content.
> >
> > Trivial example: Overwrite an nonsecure CSS stylesheet with "body {
> > display:none; visible: no; content-before:<!-- put your phishing website
> > here -->}"


Posted by Sebastian Gottschalk on January 3, 2007, 8:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
UKuser wrote:

> You're obviously assuming that an attacker can get to the unsecured content
> and modify it.

That's one of the scenarios SSL is supposed to protect against.

> What would stop an attacker accessing files on a secure area as well?

User authentication? Can be done via SSL, but HTTP Digest Authentication
does this as well. Plaintext passwords are also quite common, but a bad
idea.

> If SSL just encrypts the communication between the webserver and client,
> how are the SSL files any more secure?

Because "secure" on its own doesn't make any sense, you have to ask "secure
against which attack vector".

Similar ThreadsPosted
need info May 7, 2006, 5:28 pm
Info Security Positions in MA and RI May 23, 2006, 9:32 am
posting form info to a page July 19, 2005, 11:42 am
BBC links: Privacy Concerns over States'/Corporations' Use of Personal Info November 5, 2006, 7:16 am
India Call Center Employee Caught Selling Credit Card Info June 23, 2005, 3:35 pm

The site map in XML format XML site map

Contact Us | Privacy Policy