[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTimMTMxZDwfIjilj4njk2eBcAvaWwt2LQHqp5n7h@mail.gmail.com>
Date: Tue, 29 Jun 2010 11:51:20 +0530
From: Lavakumar Kuppan <lava@...labs.org>
To: Michal Zalewski <lcamtuf@...edump.cx>, Dan Kaminsky <dan@...para.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Chrome and Safari users open to stealth HTML5
Application Cache attack
Mike,
That interpretation is accurate.
Dan,
It is not possible to create caches for HTTPS resources over HTTP.
However by caching root pages of the site's HTTP equivalent we can attack
the user before redirecting to HTTPS.
Similar to SSLstrip.
I probably didnt explain this well in the mail, sorry about that.
Cheers,
Lava
On Tue, Jun 29, 2010 at 6:23 AM, Michal Zalewski <lcamtuf@...edump.cx>wrote:
> > On unsecured networks, attackers could stealthily
> > create malicious Application Caches in the browser of victims for even
> HTTPS
> > sites. It has always been possible to poison the browser cache and
> > compromise the victim's account for HTTP based sites.
> > With HTML5 Application Cache, it is possible to poison the cache of even
> > HTTPS sites.
> > ==
> >
> > Is it agreed that if the above is true -- meaning, separation doesn't
> > actually exist -- then there's a bug?
>
> My understanding is that this refers to the ability to poison
> http://www.mybank.com - which may be the default destination for a
> good percentage of users - even if the only function of this page is
> to redirect directly to https://www.mybank.com.
>
> There should be no ability to use cache manifests delivered over http
> to inject content into the https origin, or at least I hope so.
>
> /mz
>
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists