|
|
Subscribe / Log in / New account

An alleged SSL/TLS protocol vulnerability

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 10:44 UTC (Wed) by epa (subscriber, #39769)
In reply to: An alleged SSL/TLS protocol vulnerability by rickmoen
Parent article: An alleged SSL/TLS protocol vulnerability

If a page contains mixed secure and insecure items, the insecure ones could still be loaded, but with Javascript disabled.

to post comments

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 12:39 UTC (Wed) by tialaramex (subscriber, #21167) [Link] (2 responses)

The problem is that the user doesn't know what the mix is. Telling them "some of what you see can be trusted" isn't worth very much under any circumstances.

That isn't a theoretically insurmountable problem, but the truth is that our existing systems already assume the user is far smarter and more interested than they are, so making it worse is probably the wrong direction.

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 16:36 UTC (Wed) by JoeBuck (subscriber, #2330) [Link]

It would only be feasible if the browser, rather than the user, did this (disable unencrypted Javascript on mixed secure/insecure pages).

An alleged SSL/TLS protocol vulnerability

Posted Sep 26, 2011 22:40 UTC (Mon) by bjartur (guest, #67801) [Link]

Thing is, XSS practically taints *the whole page*. You can't trust any of it. God forbid you from running code from it sans review.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds