Too much time on their hands up in the North Woods
The boyz at Dartmouth's PKI Lab have been playing with JavaScript. The results are troubling in an "E-Qold" kind of way. http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/tr.pdf By painting over the location and status bars of typical wintel browsers, and using javascript's pop-up window capability they are able to spoof an SSL session, without even duping Verisign into giving them a bogus cert. The effort is painstaking but the results apparently slick. Picks up from Felton's seminal work (since deprecated). I like this for Verified by Visa 3-D Secure applications: "Hello, this is the FleetBankBoston VISA Verifier popup. Please type your password in this secure window now.....Thank you, and remember, NEVER share your password. Have a nice day!" Not discussed, but important to the discerning bad-guy's tool kit is the "proxy-spoof." This is a webserver which has a home page which looks like, say, Amazon.com but isn't. For every click you make it runs off to Amazon, gets the page, replaces all the Amazon links with spoofed links to itself, then forwards the page on to you. In this fashion, you get theAmazon experience right on through until you click "Buy" and whip out your credit card. The attacker has been in charge of your connection for the entire site visit, but only then does it get smart and start rendering ersatz images. --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
participants (1)
-
Paul Harrison