lists.openwall.net   lists  /  announce  john-users  owl-users  popa3d-users  /  xvendor  oss-security  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4 
Open Source and information security mailing list archives
 
Order Openwall GNU/*/Linux 2.0 on a CD with delivery worldwide
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Thu, 3 Jan 2008 15:34:54 +0200
From: avivra <avivra@...il.com>
To: "Michal Zalewski" <lcamtuf@...ne.cc>
Subject: Re: Yet another Dialog Spoofing Vulnerability -
	Firefox Basic Authentication

On Jan 3, 2008 12:48 PM, Michal Zalewski <lcamtuf@...ne.cc> wrote:

> Note that any person familiar with the dialog is unlikely to be confused
> by this prompt, as a clear indication of the originating site, consistent
> with the design of this dialog, is preserved ("...at
> http://avivraff.com").

Might be, if the domain indication was more clear, and not at the end
of the attacker controlled text.

> As such, I would certainly not go as far as
> recommending "not to provide username and password to web sites which show
> this dialog" - that's an overkill. Just don't trust self-contradictory or
> unusually structured dialogs - you never should.

I think regular users would find it difficult to distinguish between a
normal dialog and an unusually structured dialog.

> Naturally, any person *not* used to seeing this dialog might be eager to
> enter his credentials there, lulled by the tech lingo - but that's a
> general complaint about browser design that is in no way specific to
> Firefox; the same person would be likely to give out his password to:
>
>   prompt("Please enter your password for foocorp.com (certified by Verisign)")'.
>
> ...simply because a systemic failure of browser vendors to provide
> user-friendly security signaling and UI behavior (along the lines of: "as
> far as we're concerned, any person with no understanding of SSL, HTTP, and
> DNS had it coming and should die in a fire").
>

Actually, the prompt is not a good example, as FireFox does show the
originating domain in the title, and IE7 disables prompt by default.
Though, I do agree that there are people out there that will be fooled
by this too.

--Aviv.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux