A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
Steven M. Bellovin
smb at cs.columbia.edu
Wed Feb 9 14:12:28 EST 2005
In message <420A4B50.4010203 at cs.biu.ac.il>, Amir Herzberg writes:
>Want to see a simple, working method to spoof sites, fooling
>Mozilla/FireFox/... , even with an SSL certificate and `lock`?
>
>http://www.shmoo.com/idn/
>
> See also:
>
> http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3866526512
>
>Want to protect your Mozilla/FireFox from such attacks? Install our
>TrustBar: http://TrustBar.Mozdev.org
>(this was the first time that I had a real reason to click the `I don't
>trust this authority` button...)
>
Actually, both Trustbar and checking the certificate are "working"
because the code isn't right yet -- those sections of code (in Firefox)
don't understand IDN yet, and they need to. Sure, they're catching a
problem here, but they're catching the problem for those network users
who are expecting and reading ASCII characters. But think of, say, the
Japanese user who would like to see that the certificate really was
issued to <some string of Kanji>, and instead sees the IDN encoding?
That's less than helpful -- he or she would have no way whatsoever of
verifying the certificate.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list