- From: spam filter <spam+w3c@jeff-nelson.com>
- Date: Sat, 15 Jul 2006 14:13:52 -0700
- To: "James A. Donald" <jamesd@echeque.com>
- Cc: public-usable-authentication@w3.org
> Chris Drake wrote: > > XSS can steal anything - passwords, pw-manager > > credentials, and/or cookies - discussion of > > HTTPS/pw-manager/etc as some kind of solution to XSS > > simply makes no sense whatsoever. I hadn't intended my example of session takeover to go in the direction of discussing XSS or malicious code attacks. The point I was attempting to make is that solutions which only address client authentication phishing are not sufficient. The larger problem is mutual authentication and session takeover. XSS was mentioned only as an example of how to implement a session takeover. However, a more straightforward example would be opening a modal window with a web site spoof on top of an existing session after authentication has occurred. - Jeff
Received on Saturday, 15 July 2006 21:13:59 UTC