Re: Iceweasel updates

To: debian-user@lists.debian.org
Subject: Re: Iceweasel updates
From: Vincent Lefevre <vincent@vinc17.net>
Date: Mon, 2 Nov 2015 23:02:38 +0100
Message-id: <[🔎] 20151102220238.GA3437@zira.vinc17.org>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20151102150019.GA18838@copernicus.demon.co.uk>
References: <[🔎] 1446466786.28233.3.camel@gmail.com> <[🔎] 20151102123543.1ca88f30@abydos.stargate.org.uk> <[🔎] 20151102124813.GA19485@zira.vinc17.org> <[🔎] 02112015125815.146458a33a44@desktop.copernicus.demon.co.uk> <[🔎] 20151102131739.GC19485@zira.vinc17.org> <[🔎] 02112015134104.9a0ad95d97d4@desktop.copernicus.demon.co.uk> <[🔎] 20151102135824.GE19485@zira.vinc17.org> <[🔎] 20151102150019.GA18838@copernicus.demon.co.uk>

On 2015-11-02 15:00:19 +0000, Brian wrote:
> On Mon 02 Nov 2015 at 14:58:24 +0100, Vincent Lefevre wrote:
> 
> > On 2015-11-02 13:47:41 +0000, Brian wrote:
> > > On Mon 02 Nov 2015 at 14:17:39 +0100, Vincent Lefevre wrote:
> > > > The user's browser cannot compromise the site itself. But a security
> > > > bug may permit an attacker to get the user's login and password, and
> > > > neither the bank nor the user would like this.
> > > 
> > > Would this obtaining of the password be before or after encryption
> > > takes place?
> > 
> > With an XSS[*] vulnerability, before.
> > 
> > [*] https://en.wikipedia.org/wiki/Cross-site_scripting
> 
> Quoting from that page:
> 
>   XSS enables attackers to inject client-side script into web pages
>   viewed by other users.
> 
> The bank's site would be compromised. It wouldn't matter what user-agent
> string was sent by the user.

No, the injection happens locally (after the web page is fetched),
in the user's browser, not remotely.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Iceweasel updates
  - From: Brian <ad44@cityscape.co.uk>

References:
- Iceweasel updates
  - From: Jack Dangler <tdldev@gmail.com>
- Re: Iceweasel updates
  - From: Brad Rogers <brad@fineby.me.uk>
- Re: Iceweasel updates
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Iceweasel updates
  - From: Brian <ad44@cityscape.co.uk>
- Re: Iceweasel updates
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Iceweasel updates
  - From: Brian <ad44@cityscape.co.uk>
- Re: Iceweasel updates
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Iceweasel updates
  - From: Brian <ad44@cityscape.co.uk>

Prev by Date: Re: Anybody know why aptitude is not installed by default in Sid?
Next by Date: Re: Anybody know why aptitude is not installed by default in Sid?
Previous by thread: Re: Iceweasel updates
Next by thread: Re: Iceweasel updates
Index(es):
- Date
- Thread