Dailydave mailing list archives
Re: SSL MITM fun.
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 20 Feb 2009 12:31:41 +0100
However, the countermeasures browsers have implemented are trivial to bypass. It only took me an hour to find a number of variations of the homograph attack that still work. Here's a spoofed google.com page (over SSL for bonus points) that works on the latest version of Firefox 3 on Mac OS X:
Ugh, it sucks if Firefox still falls for this with the typefaces the URL is displayed with on MacOS X. Does not seem to work in MSIE7, Safari, Opera, or Chrome - though their mechanisms are also far from being perfect (simply because there is no particularly decent solution).
It's been years since browser vendors were first made aware of the homograph attacks and there is still no good solution. Perhaps it's time to scrap IDN and try a different approach?
Well, from a security standpoint, IDN was a poorly thought out / underspecified idea, and also one that was rendered nearly useless by the security restrictions imposed later on - or at least, spare for a couple of odds and ends, I do not see it being used in Latin alphabet countries in appreciable numbers. ...but ditto for most other browser mechanism, including cross-domain interactions (XSRF, "clickjacking"), same-origin policy (which not only has several incompatible flavors, but is a grossly insufficient as a security mechanism *AND* proves to be a major obstacle for developers - quite a feat)... content sniffing, globalStorage, HTTP / HTML / cookie parsing ambiguities, and a lot more... (in fact, about 80% of BSH is "oh God, what were they thinking?")... ...and ditto for pretty much every other core technology behind the Internet (DNS, SMTP, anyone?). Good and incompatible alternatives are easy to propose, but seems like in the end, we are very little to fix the systemic failures through decades, so I'm not getting my hopes up for replacing IDN with a better alternative any time soon. Bleh. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- SSL MITM fun. Dave Aitel (Feb 19)
- Message not available
- SSL MITM fun. Dan Moniz (Feb 19)
- Re: SSL MITM fun. Alexander Sotirov (Feb 19)
- Re: SSL MITM fun. Dan Moniz (Feb 19)
- Re: SSL MITM fun. Chris Weber (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Alexander Sotirov (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Robert Święcki (Feb 20)
- Message not available
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- SSL MITM fun. Dan Moniz (Feb 19)
- Message not available
- Re: SSL MITM fun. Michal Zalewski (Feb 19)
- Re: SSL MITM fun. Berend-Jan Wever (Feb 19)
- Re: SSL MITM fun. Fyodor (Feb 19)
- Re: SSL MITM fun. Richard Bejtlich (Feb 20)
- Re: SSL MITM fun. jmoss (Feb 24)
- Re: SSL MITM fun. Dragos Ruiu (Feb 19)