If you'd like to try out something similar, you can go to
"about:config" and set "browser.identity.ssl_domain_display" to
"1" (1st level domain only) or "2" (entire domain name).
Lucas.
On Feb 20, 2009, at 11:06 AM, evilredsca...@gmail.com wrote:
On Feb 20, 7:55 am, Jean-Marc Desperrier <jmd...@alussinan.org> wrote:
Eddy Nigg wrote:
On 02/19/2009 03:30 PM, Jean-Marc Desperrier:
Moxie Marlinspike in Black Hat has just demonstrated a very
serious i18n
attack using a *.ijjk.cn certificate.
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-D
...
.cn is authorized for i18n, and the * will match anything,
allowing all
the classic i18n based attacks.
This was striking:
Get a domain-validated SSL wildcard cert for *.ijjk.cn
Yes, it's surprising how some of such attacks seem obvious *after*
they
have been done, but it takes so long to realize it can be done.
The md5 collision between a normal and a *CA* certificate was similar
for me, "how the fuck did we not think earlier, when it was already
obvious someone would soon create a collision between two real md5
certs, that they just had to do that to make the attack really
effective".
This being said : Is there already a bug open for this ? The only
thing
that stops me opening it myself is that it might already exist but be
security restricted.
PS : I think this discussion should be on mozilla.dev.security since
it's about a security vulnerability, not crypto and not
security.policy.
Does everyone share my opinion ? (I'm setting the follow-up there)
I have no idea as to how to submit an idea to the Mozilla dev team,
but it seems to me that a step towards a solution might include color-
coding portions of the URL to indicate which is the domain that's
"authenticated" by SSL. For example:
Black on White-> https://
White on blue -> www.pnc.com
Black on light red -> /pages/of/junk/index.html
Yes, it still requires a user to notice the change and make a decision
based on that, but having a strong visual indicator is a step in the
right direction, IMHO.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
