Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > SSL question

Reply
Thread Tools

SSL question

 
 
Jim Watt
Guest
Posts: n/a
 
      05-05-2006
If I have a secure server and open a frame on another non secure
webserver is the data to the browser from the frame encrypted?
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
 
TwistyCreek
Guest
Posts: n/a
 
      05-05-2006
Jim Watt wrote:

> If I have a secure server and open a frame on another non secure webserver
> is the data to the browser from the frame encrypted?


No.

Now ask the question properly and you may discover why it's still OK to do
things like this in most cases.

 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-05-2006
TwistyCreek wrote:
> Jim Watt wrote:
>
>> If I have a secure server and open a frame on another non secure webserver
>> is the data to the browser from the frame encrypted?

>
> No.
>
> Now ask the question properly and you may discover why it's still OK to do
> things like this in most cases.


Beside that it will make your address bar change from yellow to red,
orange or white, a broken SSL icon and a warning about mixed content
popping up, what exactly is the purpose of such a stupid thing except
giving a wonderful opportunity for phishing?
 
Reply With Quote
 
TwistyCreek
Guest
Posts: n/a
 
      05-05-2006
Sebastian Gottschalk wrote:

> TwistyCreek wrote:
>> Jim Watt wrote:
>>
>>> If I have a secure server and open a frame on another non secure
>>> webserver is the data to the browser from the frame encrypted?

>>
>> No.
>>
>> Now ask the question properly and you may discover why it's still OK to
>> do things like this in most cases.

>
> Beside that it will make your address bar change from yellow to red,
> orange or white, a broken SSL icon and a warning about mixed content


How descriptively myopic of you to base a reply on pretty color changes
and dummy graphics, and miss the point entirely. <sigh>

> popping up, what exactly is the purpose of such a stupid thing except
> giving a wonderful opportunity for phishing?


Why would you assume that any nefarious motives exist? The question was
regarding end-to-end encryption and distributed content. And more
importantly perfect forward security, which SSL never has and never will
provide.

Now go back and think real slowly about what was being asked, the answer
given, and see if you can't manage to stumble across the correct page
before you reply again.

Don't worry, nobody will be holding their breath.



 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-05-2006
On 5 May 2006 19:53:21 -0000, TwistyCreek <(E-Mail Removed)>
wrote:

I seem to have missed the reply from Sebastian Grottytalk
however, haven't missed much

>what exactly is the purpose of such a stupid thing except
>giving a wonderful opportunity for phishing?


The purpose of 'such a thing' is devising a mechanism to read
my webmail whilst using other peoples computers and networks.

Answers from those with a clue on how are welcomed.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-05-2006
TwistyCreek wrote:

>>> Now ask the question properly and you may discover why it's still OK to
>>> do things like this in most cases.

>> Beside that it will make your address bar change from yellow to red,
>> orange or white, a broken SSL icon and a warning about mixed content

>
> How descriptively myopic of you to base a reply on pretty color changes
> and dummy graphics, and miss the point entirely. <sigh>


You really don't understand visual SSL indicators in modern webbrowser,
do you?

>> popping up, what exactly is the purpose of such a stupid thing except
>> giving a wonderful opportunity for phishing?

>
> Why would you assume that any nefarious motives exist?


Because of a malicious third party?
If you can do a
https://mysecuresite.com/main.php?in...lsite.com/evil,
you have a serious problem anyway, but that's exactly what the mixed
content warning is good for.

> The question was
> regarding end-to-end encryption and distributed content. And more
> importantly perfect forward security, which SSL never has and never will
> provide.


There is no need for forwarding, transfering session data can be done
from server to server by utilizing a simple token.

> Now go back and think real slowly about what was being asked, the answer
> given,


I already did before posting a reply.
 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      05-05-2006
Jim Watt <(E-Mail Removed)_way> writes:
> If I have a secure server and open a frame on another non secure
> webserver is the data to the browser from the frame encrypted?


Jim, as specified, I'm not sure there are enough details to answre
this question accurately. For instance, no one can be sure if you're
using frame in the actual iframe html sense, or in the sense of a
window popup, without seeing the specific site you're looking to
access, it's hard to say what's encrypted and what's not, etc.

Evidently you have a very specific situation in mind. You may wish to
download and run Ethereal, a freeware sniffer, and capture data and
review it when logging in and interacting with your email on your own
machine to see how it might be from another machine.

Now, even if it is encrypted, your risk accessing email from someone
else's machine lies more in keylogging and password grabbing from the
system itself rather than things being sniffed on the wire. This is
mitigated somewhat if, say, there's a java based keyboard or something
clever on the site you're accessing to be able to enter your password
without using the keyboard or OS directly, but even then, you're still
subject to eavesdropping, and will have some security exposure. Plus
I haven't seen any such mail system in existence other than in my
mind.

If you're using computers you don't own, about the best you can do is
visually inspect for keyloggers, and boot to a knoppix disk or
something.

Best Regards,
--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-05-2006
On 05 May 2006 16:17:19 -0500, http://www.velocityreviews.com/forums/(E-Mail Removed) (Todd H.) wrote:

>I haven't seen any such mail system in existence


Neither have I, but thats no reason not to try and build
one. The question is how easily it can be done.

Thus the question.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Rick Merrill
Guest
Posts: n/a
 
      05-05-2006
Jim Watt wrote:
> If I have a secure server and open a frame on another non secure
> webserver is the data to the browser from the frame encrypted?
> --
> Jim Watt
> http://www.gibnet.com


SSL can be trojaned! - Rick


http://weblog.infoworld.com/article/...Peditor_1.html
 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      05-05-2006
Rick Merrill wrote:
> SSL can be trojaned! - Rick
>
>
> http://weblog.infoworld.com/article/...Peditor_1.html


I would at least have written it as "SSL can be tr0janed !!!!!!!!!1112".

From TFA: "Infoworld.comís security adviser columnist and contributing
editor Roger Grimes loves his job. And why not?"

That's easy to answer:
<http://images.infoworld.com/img/img_hdshot_82x74_Steve_Fox.gif>
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"Failed set trust point in ssl context" when using SSL communication emukang Java 0 12-20-2005 04:54 PM
Response.Redirect from SSL to non SSL with port drops port. Sean Wolfe ASP .Net 1 04-28-2005 07:49 PM
SSL with backend SSL on CSS 11500 Olivier PELERIN Cisco 0 08-30-2004 08:30 PM
How to imbed non-SSL links within SSL pages without using code CW ASP .Net 2 05-02-2004 01:40 PM
From non-ssl area to ssl ara with a virtual href path? 620 ASP .Net 2 01-06-2004 09:58 PM



Advertisments