[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iceweasel updates

On 2015-11-02 22:53:03 +0000, Brian wrote:
> An attacker must inject a payload into a web page that the user visits.
> When the page loads in the user’s browser the attacker’s payload will
> be executed. A user would likely have no knowledge of this, irrespective
> of whatever browser or user-agent string is being used.
> Without the payload (which the bank's site has delivered) the security
> of the browser is not compromised. If a password were to be obtained the
> bank is complicit in the action. I expect they would take responsibilty
> for this.

If the attack is due to a vulnerability in the user's browser and
this browser is blocked by the bank because it is old and no longer
maintained (thus may have known, unfixed vulnerabilities), the user
would be fully responsible. Actually it is the responsibility of
the user to update his software, but bypassing the bank's security
mechanisms makes him even more responsible.

Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: