From: Bill Stewart <bill.stewart@pobox.com>
Date: Mon, 30 Nov 1998 13:48:02 +0800
To: cypherpunks@cyberpass.net
Subject: Frames security hole
Message-ID: <3.0.5.32.19981130001506.008e9e40@idiom.com>
MIME-Version: 1.0
Content-Type: text/plain



	------------------------------
	Date: Fri, 20 Nov 1998 12:27:16 +0000 (GMT)
	From: Lindsay.Marshall@newcastle.ac.uk
	Subject: Frames security hole

	There is a description and demo of a security hole with frames in web
	browsers at http://www.securexpert.com/framespoof/start.html - there is
	a version that works without javascript enabled as well.

	http://catless.ncl.ac.uk/Lindsay
	------------------------------

I checked it out, and it's way cool.  You open some frame-using target page,
such as www.citibank.com, in Netscape or Internet Exploder,
and cliok on their hack, and a new frame appears on the target page,
replacing some frame that belonged there.  They say they can fake out
Netscape's "key" icon that claims that an https: page is secure,
though I didn't have any handy frame-based https pages to test with.

Technical Discussion: http://www.securexpert.com/framespoof/tech.html
Some defenses http://www.securexpert.com/framespoof/defense.html
==> but the rel defense is getting your browser vendor to fix the browser.
Meanwhile, don't trust any web page with frames with any
information you care too much about.
				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639