[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Iceweasel updates

On Mon 02 Nov 2015 at 14:58:24 +0100, Vincent Lefevre wrote:

> On 2015-11-02 13:47:41 +0000, Brian wrote:
> > On Mon 02 Nov 2015 at 14:17:39 +0100, Vincent Lefevre wrote:
> > > The user's browser cannot compromise the site itself. But a security
> > > bug may permit an attacker to get the user's login and password, and
> > > neither the bank nor the user would like this.
> > 
> > Would this obtaining of the password be before or after encryption
> > takes place?
> 
> With an XSS[*] vulnerability, before.
> 
> [*] https://en.wikipedia.org/wiki/Cross-site_scripting

Quoting from that page:

  XSS enables attackers to inject client-side script into web pages
  viewed by other users.

The bank's site would be compromised. It wouldn't matter what user-agent
string was sent by the user.

MBNA accepts "My Very own Browser" as the user-agent. RBS says the
browser I am using is not supported, (whatever that means). How remiss
is MBNA in the area of security?
Reply to: