Re: SSL MITM fun.

[Michal Zalewski <lcamtuf () coredump cx>]

> The new idea in this presentation is to use a .cn domain, but use UNICODE
> characters that look like '/'.

The idea is certainly not new; it's covered, amongst other places, in
our Browser Security Handbook for a longer while (gives specifically
the '/' example, and discusses mitigations):

http://code.google.com/p/browsersec/wiki/Part2#International_Domain_Name_checks

Unless I am mistaken, an URL such as
http://www.example.com⁄foo.ijjk.cn (which is the example discussed) is
rendered as Punycode by Firefox 3, MSIE7, Safari 3, Chrome, and Opera
9, specifically because - as discussed - they implement domain or
locale script correlation, or have homoglyph blacklists built in.

If you compare Moxie's screenshots with the appearance of Firefox 2
and 3, it is clear from the URL bar back / forward / reload / home
icons, that he is using a long-obsolete and unsupported version 1.x,
which is either an honest mistake, or a small bit of deception - but
in any case, the attack should not work in contemporary browsers.

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave