[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] SSL does not = a secure website

From: "Ryan Barnett" <rcbarnett@xxxxxxxxx>
Subject: Re: [WEB SECURITY] SSL does not = a secure website
Date: Wed, 29 Mar 2006 08:51:11 -0500

While these tangents are interesting, my original question is still
unanswered.  Does anyone have any references to news stories, etc...
about attackers sniffing user's web data and then using it?

This is not a questions of whether sniffing is a real threat, it is. 
This is a question of having verifiable proof that this is happening
in order to "convert" the unbelievers.  We have verifiable proof that
credit card data is being pilfered in other ways (keyloggers, access
to DB, etc...).  Check out the WASC Web Hacking Incident Database for
news stories -
http://www.webappsec.org/projects/whid/list_class_sql_injection.shtml

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

Follow-Ups:
- Re: [WEB SECURITY] SSL does not = a secure website
  - From: Brian Eaton

References:
- Re: [WEB SECURITY] SSL does not = a secure website
  - From: Andrew van der Stock
- RE: [WEB SECURITY] SSL does not = a secure website
  - From: Lyal Collins

Prev by Date: RE: [WEB SECURITY] SSL does not = a secure website
Next by Date: [WEB SECURITY] Online Certificate of Authority
Previous by thread: RE: [WEB SECURITY] SSL does not = a secure website
Next by thread: Re: [WEB SECURITY] SSL does not = a secure website
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org