Dailydave mailing list archives
Re: SSL MITM fun.
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 20 Feb 2009 07:41:25 +0100
The new idea in this presentation is to use a .cn domain, but use UNICODE characters that look like '/'.
The idea is certainly not new; it's covered, amongst other places, in our Browser Security Handbook for a longer while (gives specifically the '/' example, and discusses mitigations): http://code.google.com/p/browsersec/wiki/Part2#International_Domain_Name_checks Unless I am mistaken, an URL such as http://www.example.com⁄foo.ijjk.cn (which is the example discussed) is rendered as Punycode by Firefox 3, MSIE7, Safari 3, Chrome, and Opera 9, specifically because - as discussed - they implement domain or locale script correlation, or have homoglyph blacklists built in. If you compare Moxie's screenshots with the appearance of Firefox 2 and 3, it is clear from the URL bar back / forward / reload / home icons, that he is using a long-obsolete and unsupported version 1.x, which is either an honest mistake, or a small bit of deception - but in any case, the attack should not work in contemporary browsers. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- SSL MITM fun. Dave Aitel (Feb 19)
- Message not available
- SSL MITM fun. Dan Moniz (Feb 19)
- Re: SSL MITM fun. Alexander Sotirov (Feb 19)
- Re: SSL MITM fun. Dan Moniz (Feb 19)
- Re: SSL MITM fun. Chris Weber (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Alexander Sotirov (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Robert Święcki (Feb 20)
- Message not available
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- SSL MITM fun. Dan Moniz (Feb 19)
- Message not available
- Re: SSL MITM fun. Michal Zalewski (Feb 19)
- Re: SSL MITM fun. Berend-Jan Wever (Feb 19)
- Re: SSL MITM fun. Fyodor (Feb 19)
- Re: SSL MITM fun. Richard Bejtlich (Feb 20)
- Re: SSL MITM fun. jmoss (Feb 24)
- Re: SSL MITM fun. Dragos Ruiu (Feb 19)