Re: Google Chrome Address Spoofing (Request For Comment)

[0pc0deFR <0pc0defr () gmail com>]

Work on Google Chrome Ubuntu.

--
Cordialement,

Kévin FALCOZ alias 0pc0deFR - Consultant Expert WordPress -
http://wordpress-expertise.fr

--
Regards,

Kévin FALCOZ aka 0pc0deFR - WordPress Expert Consultant -
http://wordpress-expertise.fr

2015-06-30 16:04 GMT+02:00 Daniel Micay <danielmicay () gmail com>:

> On 30/06/15 09:52 AM, Florian Weimer wrote:
> > On 06/30/2015 03:45 PM, Daniel Micay wrote:
> > > It does display a window with the oracle.com address, but I don't
> > > understand why you've got an ever increasing number of setTimeout events
> > > built in here. It's also unclear what you mean about click-to-verify. Is
> > > this bypassing a warning prompt by breaking it with a flood of requests?
> >
> > I have not tried this, but here's some context:
> >
> > Most browsers have issues where they do not update the URL bar when
> > content from a different is shown (i.e., the update happens to late), or
> > they show the new URL while still displaying old content (update too
> > late).  I've seen such discrepancies with Firefox, but I don't know if
> > it's still present in current versions.
> >
> > If such bugs are present, freezing browsers while they are showing
> > inconsistent content (hence the DoS attempt) could lead the user to
> > attribute content to the incorrect site.
>
> Ah, that makes sense. It seems to depend on a race condition so it makes
> sense that it can't always be replicated. I've tried it a few times and
> it fails about as often as it works. I have a feeling that the proof of
> concept was the whole issue report and it just happened to fail for
> whoever tested it.