Re: Iceweasel updates
On Mon 02 Nov 2015 at 23:02:38 +0100, Vincent Lefevre wrote:
> On 2015-11-02 15:00:19 +0000, Brian wrote:
> > On Mon 02 Nov 2015 at 14:58:24 +0100, Vincent Lefevre wrote:
> >
> > > On 2015-11-02 13:47:41 +0000, Brian wrote:
> > > > On Mon 02 Nov 2015 at 14:17:39 +0100, Vincent Lefevre wrote:
> > > > > The user's browser cannot compromise the site itself. But a security
> > > > > bug may permit an attacker to get the user's login and password, and
> > > > > neither the bank nor the user would like this.
> > > >
> > > > Would this obtaining of the password be before or after encryption
> > > > takes place?
> > >
> > > With an XSS[*] vulnerability, before.
> > >
> > > [*] https://en.wikipedia.org/wiki/Cross-site_scripting
> >
> > Quoting from that page:
> >
> > XSS enables attackers to inject client-side script into web pages
> > viewed by other users.
> >
> > The bank's site would be compromised. It wouldn't matter what user-agent
> > string was sent by the user.
>
> No, the injection happens locally (after the web page is fetched),
> in the user's browser, not remotely.
An attacker must inject a payload into a web page that the user visits.
When the page loads in the user’s browser the attacker’s payload will
be executed. A user would likely have no knowledge of this, irrespective
of whatever browser or user-agent string is being used.
Without the payload (which the bank's site has delivered) the security
of the browser is not compromised. If a password were to be obtained the
bank is complicit in the action. I expect they would take responsibilty
for this.
Reply to: