W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: AW: AW: Secure Chrome

From: spam filter <spam+w3c@jeff-nelson.com>
Date: Sat, 15 Jul 2006 14:13:52 -0700
Message-ID: <a76292cb0607151413g7e946bd2o9b573d7230f4a30f@mail.gmail.com>
To: "James A. Donald" <jamesd@echeque.com>
Cc: public-usable-authentication@w3.org

> Chris Drake wrote:
>  > XSS can steal anything - passwords, pw-manager
>  > credentials, and/or cookies - discussion of
>  > HTTPS/pw-manager/etc as some kind of solution to XSS
>  > simply makes no sense whatsoever.

I hadn't intended my example of session takeover to go in the
direction of discussing XSS or malicious code attacks.  The point I
was attempting to make is that solutions which only address client
authentication phishing are not sufficient.  The larger problem is
mutual authentication and session takeover.

XSS was mentioned only as an example of how to implement a session
takeover.  However, a more straightforward example would be opening a
modal window with a web site spoof on top of an existing session after
authentication has occurred.

   - Jeff
Received on Saturday, 15 July 2006 21:13:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT