On Fri, Feb 11, 2011 at 1:07 AM, Daniel Roseman <dan...@roseman.org.uk> wrote: > On Thursday, February 10, 2011 4:48:05 PM UTC, Brian Craft wrote: >> >> I'll have to look at this in more detail, but two notes, off-the-top. >> >> First, port 80 is kept open because the browser will try port 80 if >> the user types in the url without the protocol. On port 80 all we do >> is issue a redirect to https, but the client will have spilled the >> cookies by then. >> >> Second, the most like scenario for this to happen is with a wireless >> MITM. E.g. an attacker sits in, or near a coffee shop, or office, with >> a laptop setup as an AP, trolling for connections from unsuspecting >> users. If anyone connects, the laptop can be used as a MITM. So, for >> example, when the user types the url and hits port 80, the MITM can >> create an https connection to the target site, and return it via http. >> >> I'm not certain there's a csrf attack here, but I suspect there is. > > Just a warning: if you think you're getting close to identifying a security > hole, please don't post it in a public newsgroup, but email it directly to > the private Django security list: secur...@djangoproject.com
Firstly, *YES PLEASE OH PLEASE YES*. If you even *suspect* that you have a found security hole, please don't discuss it in a public forum -- contact secur...@djangoproject.com. Secondly, please search the list archives for discussions of MITM attacks, and the discussion of MITM on the CSRF design page [1]. There are known limitations with CSRF protection in general, and Luke Plant has done a great job elaborating on them in the past. [1] http://code.djangoproject.com/wiki/CsrfProtection Yours, Russ Magee %-) -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
