[16867] in cryptography@c2.net mail archive
Re: A cool demo of how to spoof sites (also shows how TrustBar preventsthis...)
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Feb 9 15:42:18 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Amir Herzberg <herzbea@macs.biu.ac.il>
Cc: Ian Grigg <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 09 Feb 2005 19:41:36 +0200."
<420A4B50.4010203@cs.biu.ac.il>
Date: Wed, 09 Feb 2005 14:12:28 -0500
In message <420A4B50.4010203@cs.biu.ac.il>, Amir Herzberg writes:
>Want to see a simple, working method to spoof sites, fooling
>Mozilla/FireFox/... , even with an SSL certificate and `lock`?
>
>http://www.shmoo.com/idn/
>
> See also:
>
> http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3866526512
>
>Want to protect your Mozilla/FireFox from such attacks? Install our
>TrustBar: http://TrustBar.Mozdev.org
>(this was the first time that I had a real reason to click the `I don't
>trust this authority` button...)
>
Actually, both Trustbar and checking the certificate are "working"
because the code isn't right yet -- those sections of code (in Firefox)
don't understand IDN yet, and they need to. Sure, they're catching a
problem here, but they're catching the problem for those network users
who are expecting and reading ASCII characters. But think of, say, the
Japanese user who would like to see that the certificate really was
issued to <some string of Kanji>, and instead sees the IDN encoding?
That's less than helpful -- he or she would have no way whatsoever of
verifying the certificate.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
