Michal Zalewski posted a message to the FD mailing list today that outlined a possible attack scenario using IE and the XMLHttpRequest.
Shortly after his post, he was alerted that Amit Klein reported about a possible browser cache poisoning attack in May of 2006 that also exploited the XMLHttpRequest trick.
Isn't "https:" requests the norm - "s" being the operative letter denoting certified security (not guaranteed) on the site. Not many sites use just http: or am I misinformed?
ReplyDelete