New Attack on Secure Browsing

Ian Grigg iang at systemics.com
Fri Jul 16 03:30:24 EDT 2004 

Aram,

It's now pretty clear that PGP had no clue what this was
all about.  Apologies to all, that was my mistake.  Also,
to clarify, there was no SSL involved.

What we are looking at is a case of being able to put a
padlock on the browser in a place that *could* be confused
by a user.  This is an unintended consequence of the
favicon design by Microsoft.

Now, another thing becomes clearer, from your report and
others:  Microsoft implemented the display of the favicon
only as accepted / chosen by the user.  You have to add
this site as a favourite.

Other browsers - the competitors - went further and
displayed the favicon on arrival at the site.  I guess
they felt that it could be more useful than Microsoft
had intended.  But, in this case, it seems that they
may have stumbled on something that goes too far.

What will save them in this case is that the numbers of
users of such non-Microsoft browsers are relatively small.
If the tables were turned, and it was Microsoft that was
vulnerable, I'd confidentally predict that we would see
some attempted exploits of this in the next month's
phishing traffic.

iang


Aram Perez wrote:
> Hi Ian,
> 
> 
>>Congratulations go to PGP Inc - who was it, guys, don't be shy this
>>time? - for discovering a new way to futz with secure browsing.
>>
>>Click on http://www.pgp.com/ and you will see an SSL-protected page
>>with that cute little padlock next to domain name.  And they managed
>>that over HTTP, as well!  (This may not be seen in IE version 5 which
>>doesn't load the padlock unless you add it to favourites, or some
>>such.)
> 
> 
> Here what I saw when going to the PGP site:
> 
> Windows XP Pro:
>     IE 6.x:         No padlock
>     Firefox 0.9.2:  Padlock on address bar and tab
> 
> Mac OS 10.2.8:
>     IE 5.2:         No padlock
>     Safari 1.0.2:   Padlock on address bar but no on tab
>     Fixfox 0.8:     Padlock on address bar and tab
>     Camino 0.7:     Padlock on address bar and tab
> 
> You stated that http://www.pgp.com is an SSL-protected page, but did you
> mean https://www.pgp.com? On my Powerbook, with all the browsers I get an
> error that the certificate is wrong and they end up at http://www.pgp.com.
> 
> I'm not sure if PGP deliberately set out to confuse naïve users since their
> logo has been the padlock for a while. Many web sites have their logo
> displayed on the address bar (and tab) when you go to there site, see
> http://www.yahoo.com or http://www.google.com. Maybe Jon can answer the
> question.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list