Too much time on their hands up in the North Woods

[Paul Harrison]

The boyz at Dartmouth's PKI Lab have been playing with JavaScript. The
results are troubling in an "E-Qold" kind of way.

http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/tr.pdf

By painting over the location and status bars of typical wintel browsers,
and using javascript's pop-up window capability they are able to spoof an
SSL session, without even duping Verisign into giving them a bogus cert.
The effort is painstaking but the results apparently slick. Picks up from
Felton's seminal work (since deprecated).

I like this for Verified by Visa 3-D Secure applications: "Hello, this is
the FleetBankBoston VISA Verifier popup. Please type your password in this
secure window now.....Thank you, and remember, NEVER share your password.
Have a nice day!"

Not discussed, but important to the discerning bad-guy's tool kit is the
"proxy-spoof." This is a webserver which has a home page which looks like,
say, Amazon.com but isn't. For every click you make it runs off to Amazon,
gets the page, replaces all the Amazon links with spoofed links to itself,
then forwards the page on to you. In this fashion, you get theAmazon
experience right on through until you click "Buy" and whip out your credit
card. The attacker has been in charge of your connection for the entire
site visit, but only then does it get smart and start rendering ersatz
images.

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com