[Dailydave] SSL MITM fun.
Michal Zalewski
lcamtuf at coredump.cx
Thu Feb 19 15:16:38 EST 2009
>> have HTTPS://www.paypal.com/?domain.cn?<some args> validate
> Unless I'm missing something, this is essentially what Eric Johanson
> said in 2005 about IDN: http://www.shmoo.com/idn/homograph.txt
Yes, and unless I am mistaken, most browsers should take a number of
countermeasures, including banning many homographs not consistent with
user's current script, or the script of the target domain; in
particular, I think /-lookalikes are banned in most implementations,
making this vector much less plausible.
The screenshots in that presentation seem to be of Firefox 1.5,
judging from UI icons.
> If you can sit between endpoints, modify traffic, and you control one
> of the eventual endpoints anyway, and only you're jumping through all
> these hoops to maintain the illusion for the unsuspecting user, why
> not just take control of DNS and *actually* MITM SSL?
To avoid scary security warnings.
/mz
More information about the Dailydave
mailing list