OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: Web-browser Binding Vulnerabilities + "Cures"


Hal,

> If an attacker can run a priviledged program on a client system, there is NO
> security mechanism that can protect him or her from stealing all user data,
> keys, session tokens, etc. I don't see any reason to spend time on threats
> of this type. Not because they are not real, but because nothing in the
> protocol can protect against them. You must assume some sort of TCB to make
> any progress.

I don't disagree one single bit on that although the work to do the URL snatcher
is very limited compared to breaking in into a browser session and stealing
keys. I absolutely think we should proceed with the use cases which I still lack
any comments on!  See posting "Use cases revisited" which refers to case #1.

Anders



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC