lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8beca820801030534h722d7d51sf749cf24ebc1b50a@mail.gmail.com>
Date: Thu, 3 Jan 2008 15:34:54 +0200
From: avivra <avivra@...il.com>
To: "Michal Zalewski" <lcamtuf@...ne.cc>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication

On Jan 3, 2008 12:48 PM, Michal Zalewski <lcamtuf@...ne.cc> wrote:

> Note that any person familiar with the dialog is unlikely to be confused
> by this prompt, as a clear indication of the originating site, consistent
> with the design of this dialog, is preserved ("...at
> http://avivraff.com").

Might be, if the domain indication was more clear, and not at the end
of the attacker controlled text.

> As such, I would certainly not go as far as
> recommending "not to provide username and password to web sites which show
> this dialog" - that's an overkill. Just don't trust self-contradictory or
> unusually structured dialogs - you never should.

I think regular users would find it difficult to distinguish between a
normal dialog and an unusually structured dialog.

> Naturally, any person *not* used to seeing this dialog might be eager to
> enter his credentials there, lulled by the tech lingo - but that's a
> general complaint about browser design that is in no way specific to
> Firefox; the same person would be likely to give out his password to:
>
>   prompt("Please enter your password for foocorp.com (certified by Verisign)")'.
>
> ...simply because a systemic failure of browser vendors to provide
> user-friendly security signaling and UI behavior (along the lines of: "as
> far as we're concerned, any person with no understanding of SSL, HTTP, and
> DNS had it coming and should die in a fire").
>

Actually, the prompt is not a good example, as FireFox does show the
originating domain in the title, and IE7 disables prompt by default.
Though, I do agree that there are people out there that will be fooled
by this too.

--Aviv.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ