Dailydave mailing list archives
Re: SSL MITM fun.
From: Alexander Sotirov <alex () sotirov net>
Date: Fri, 20 Feb 2009 06:07:26 -0500
On Fri, Feb 20, 2009 at 07:41:25AM +0100, Michal Zalewski wrote:
The new idea in this presentation is to use a .cn domain, but use UNICODE characters that look like '/'.The idea is certainly not new; it's covered, amongst other places, in our Browser Security Handbook for a longer while (gives specifically the '/' example, and discusses mitigations): http://code.google.com/p/browsersec/wiki/Part2#International_Domain_Name_checks
I assumed it was new because I hadn't been following the IDN security closely, but you're right, this attack has been known for a while. However, the countermeasures browsers have implemented are trivial to bypass. It only took me an hour to find a number of variations of the homograph attack that still work. Here's a spoofed google.com page (over SSL for bonus points) that works on the latest version of Firefox 3 on Mac OS X: https://www.google.xn--com-edoaaaaaaaaaaaaaaaaaaaaaaaaaaaa.phreedom.org/ It's been years since browser vendors were first made aware of the homograph attacks and there is still no good solution. Perhaps it's time to scrap IDN and try a different approach? Take care, Alex
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- SSL MITM fun. Dave Aitel (Feb 19)
- Message not available
- SSL MITM fun. Dan Moniz (Feb 19)
- Re: SSL MITM fun. Alexander Sotirov (Feb 19)
- Re: SSL MITM fun. Dan Moniz (Feb 19)
- Re: SSL MITM fun. Chris Weber (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Alexander Sotirov (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Robert Święcki (Feb 20)
- Message not available
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- SSL MITM fun. Dan Moniz (Feb 19)
- Message not available
- Re: SSL MITM fun. Michal Zalewski (Feb 19)
- Re: SSL MITM fun. Berend-Jan Wever (Feb 19)
- Re: SSL MITM fun. Fyodor (Feb 19)
- Re: SSL MITM fun. Richard Bejtlich (Feb 20)
- Re: SSL MITM fun. jmoss (Feb 24)
- Re: SSL MITM fun. Dragos Ruiu (Feb 19)