On Wed, Jan 09, 2008 at 03:14:35PM +0000, Russell Gadd wrote: > Unfortunately some bank sites do use javascript and I have a concern > over cross site scripting - only because I have yet to look deeper into > this to see what the risks are. But if I never visit non-bank sites is > this a problem? It very much is: if the bank site somehow gives you javascript which performs a transaction as you, it is very problematic and may make it very difficult to prove you were attacked, since the requests seem to come from you. This is not XSS in the literal sense (the site attacks itself so it is not cross-site), unless one banking site attacks another one, but I think that will not comfort you much if you get attacked :)
This, however, requires that the bank site is exploitable, and since one of the starting points is trusting the bank, you should be rather safe if you only visit bank sites, assuming you trust the SSL cert to make sure you really are connecting to the bank and not an impostor. If you are feeling paranoid, you can contain the damage to one bank by clearing your cookies between sessions and not using two banks at the same time. Trusting SSL also means you have to type your URLs carefully. Most people do not type 'https://' but trust that an insecure connection will redirect them to the real site, which is not safe, since you could be redirected to another site in another domain with a similar name, and at least some browsers allow javascript to change the address bar, making the attack hard to detect. Checking the SSL certificate reveals that kind of trickery: if you connected to another domain, the certificate can't be the one your bank uses (unless the browser / SSL library, the CA or the bank screws up - but those are again things you just have to trust.) You can get some extra security by disabling JavaScript, because XSS holes in the bank's system may not mean the attacker can do anything else than XSS, but we are getting close to the unavoidable problem: you have to trust the bank, and you can only try to mitigate the effects of the bank getting compromised, preventing it is up to the bank. And getting back to reality from all this paranoia: you are already light years ahead of a normal Windows PC, and compromise is pretty damn unlikely. The riskiest part I can see is your browser, but if you only visit banks, the real attack vectors require subverting your SSL implementation, the CA or the bank itself. This is almost definitely possible with enough resources, but it is probably not feasible to mount such an attack - that, however, depends on how much money you have :) On another note, if security is this important, you always need to buy the CDs to make sure your OpenBSD is not compromised, and installing patches is difficult: how do you get them securely, and can you even trust the OpenBSD project? Set some reasonable goal for your security, or you can't do online banking at all. Paranoia is very good for security, and thinking of all the possibilities is both entertaining and educational, but in practice you always have to trust something, so there is no absolute security. The final point I'd like to make is that we trust our browsers so much it is pretty scary. They are probably not very secure (I am too bad a programmer to really say anything, but the exploits seem to keep appearing), but usually the most security-critical things a Joe User does involves one, and often it is the Microsoft one. -- Jussi Peltola
