[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] insecure elements in https protected pages

To: Mohammad Hosein <mhtajik@xxxxxxxxx>
Subject: Re: [Full-disclosure] insecure elements in https protected pages
From: "G. D. Fuego" <gdfuego@xxxxxxxxx>
Date: Sun, 18 Oct 2009 21:28:02 -0400

On Oct 18, 2009, at 6:03 PM, Mohammad Hosein <mhtajik@xxxxxxxxx> wrote:

> in a certain web application e.g gmail there are times the whole  
> communication is secured by ssl and sometimes "there are insecure  
> elements" that raise questions . i'm not a web professional . how to  
> find these insecure elements ? and how to evaluate if these elements  
> are the results of a successful man in the middle attack or not ?

Insecure elements in a secure page wouldn't be the result of a man in  
the middle attack.  That would require being in the middle of the  
https connection in order to change the content of the page.

If you're already in the middle of the https connection in a non- 
obvious way, why downgrade to http?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] insecure elements in https protected pages
  - From: Mohammad Hosein

Prev by Date: [Full-disclosure] insecure elements in https protected pages
Next by Date: [Full-disclosure] In-depth research on the recent PDF zero-day exploit (CVE-2009-3459)
Previous by thread: [Full-disclosure] insecure elements in https protected pages
Next by thread: Re: [Full-disclosure] insecure elements in https protected pages
Index(es):
- Date
- Thread