yes_sir
@net.mx
|  Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws!
requesting a ssl connection. I was able to trick Firefox in thinking
the hostname behind the at-sign is legit and the same as the URI that
requested an ssl connection, and this without a warning.
PoC:
You can add as much garbage between .com and the @ sign.
So what else can we do?
PoC:
ah heck we don't need that at all:
works fine also :) | |
|
 
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland | Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! Dude, the version is still 2.0.0.11. | |
|
 | |
| | 
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! Soon. Should be any day assuming no release blockers.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer | |
|
| | | |
| | | |
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! said by chachazz  :Name: Firefox 2.0.0.12 Scheduled Release Date : February 7 Release Schedule Ooh. Hmmph, no suite product SeaMonkey? 
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer | |
|
| | | | | pepperxn
join:2001-02-21
| Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! said by antdude :said by chachazz :Name: Firefox 2.0.0.12 Scheduled Release Date : February 7 Release Schedule Ooh. Hmmph, no suite product SeaMonkey? SeaMonkey 1.1.8 is coming soon.
»home.kairo.at/blog/2008-02/weekl···w05_2008
Notice this sentence: "I created and uploaded (two sets of) candidate builds for SeaMonkey 1.1.8 this week, which is our upcoming security release for the stable 1.1.x series. We target a release nearly in sync with Firefox 2.0.0.12 this Thursday or Friday." | |
|
WeenieBoy
join:2003-06-25
Pasadena, MD | Besides the wrong version with this "problem" What are you saying ? When I did it I got the certificate from the rogue host so how the heck is that wrong ? What does "legit" mean ?
I am confused about your post | |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ | What the heck are you talking about?
What comes after the @ is the host name that firefox is going to connect to. If that host has a valid, trusted SSL cert you're not going to see a warning message. What are you spoofing? | |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
 ·Verizon Online DSL
| So are you testing the beta in hopes of informing Mozilla Foundation that they need to work on the beta?
The beta is 2.0.0.12pre.
The release is 2.0.0.11
--
"We must look for consistency. Where there is a want of it we must suspect deception." - Sherlock Holmes | |
|
|
|
|
|
·
·