lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 29 Jun 2010 11:51:20 +0530
From: Lavakumar Kuppan <lava@...labs.org>
To: Michal Zalewski <lcamtuf@...edump.cx>, Dan Kaminsky <dan@...para.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Chrome and Safari users open to stealth HTML5
	Application Cache attack

Mike,

That interpretation is accurate.

Dan,

It is not possible to create caches for HTTPS resources over HTTP.
However by caching root pages of the site's HTTP equivalent we can attack
the user before redirecting to HTTPS.
Similar to SSLstrip.

I probably didnt explain this well in the mail, sorry about that.

Cheers,
Lava

On Tue, Jun 29, 2010 at 6:23 AM, Michal Zalewski <lcamtuf@...edump.cx>wrote:

> > On unsecured networks, attackers could stealthily
> > create malicious Application Caches in the browser of victims for even
> HTTPS
> > sites. It has always been possible to poison the browser cache and
> > compromise the victim's account for HTTP based sites.
> > With HTML5 Application Cache, it is possible to poison the cache of even
> > HTTPS sites.
> > ==
> >
> > Is it agreed that if the above is true -- meaning, separation doesn't
> > actually exist -- then there's a bug?
>
> My understanding is that this refers to the ability to poison
> http://www.mybank.com - which may be the default destination for a
> good percentage of users - even if the only function of this page is
> to redirect directly to https://www.mybank.com.
>
> There should be no ability to use cache manifests delivered over http
> to inject content into the https origin, or at least I hope so.
>
> /mz
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ