Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! in Security http://www.dslreports.com/forum/r19944847 en Wed, 02 Dec 2009 08:47:58 EDT Wed, 02 Dec 2009 08:47:58 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19949475 pepperxn :
said by antdude See Profile :

said by chachazz See Profile :

Name: Firefox 2.0.0.12
Scheduled Release Date : February 7
Release Schedule
Ooh. Hmmph, no suite product SeaMonkey? :(
SeaMonkey 1.1.8 is coming soon.

»home.kairo.at/blog/2008-02/weekl···w05_2008

Notice this sentence: "I created and uploaded (two sets of) candidate builds for SeaMonkey 1.1.8 this week, which is our upcoming security release for the stable 1.1.x series. We target a release nearly in sync with Firefox 2.0.0.12 this Thursday or Friday."]]> http://www.dslreports.com/forum/remark,19949475 Thu, 07 Feb 2008 04:41:50 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19949274 antdude :
said by chachazz See Profile :

Name: Firefox 2.0.0.12
Scheduled Release Date : February 7
Release Schedule
Ooh. Hmmph, no suite product SeaMonkey? :(
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer]]> http://www.dslreports.com/forum/remark,19949274 Thu, 07 Feb 2008 02:00:54 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19949264 chachazz : Name: Firefox 2.0.0.12
Scheduled Release Date : February 7
Release Schedule
--
Gladiator Security Forum: www.gladiator-antivirus.com/
]]> http://www.dslreports.com/forum/remark,19949264 Thu, 07 Feb 2008 01:54:36 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19949258 antdude :
said by La Luna See Profile :

said by jansson_mark See Profile :

Dude, the version is still 2.0.0.11.
»Firefox 2.0.12 VS IE7

»wiki.mozilla.org/Releases/Firefox_2.0.0.12

»ftp.eu.mozilla.org/pub/mozilla.o···?C=M;O=D
Soon. Should be any day assuming no release blockers.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer]]> http://www.dslreports.com/forum/remark,19949258 Thu, 07 Feb 2008 01:51:22 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19949180 La Luna :
said by jansson_mark See Profile :

Dude, the version is still 2.0.0.11.
»Firefox 2.0.12 VS IE7

»wiki.mozilla.org/Releases/Firefox_2.0.0.12

»ftp.eu.mozilla.org/pub/mozilla.o···?C=M;O=D
--
10,504 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
]]> http://www.dslreports.com/forum/remark,19949180 Thu, 07 Feb 2008 01:06:07 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19949112 pepperxn : 2 flaws here.

»www.0x000000.com/?i=509

and

»www.0x000000.com/index.php?i=511
»https://bugzilla.mozilla.org/show_bug.cgi?id=415034

Haven't found the bug # for the first one yet. 2nd one has a patch, and will be fixed in 1.8.1.13 (Firefox 2.0.0.13).]]> http://www.dslreports.com/forum/remark,19949112 Thu, 07 Feb 2008 00:40:04 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19947585 Grail Knight : So are you testing the beta in hopes of informing Mozilla Foundation that they need to work on the beta?

The beta is 2.0.0.12pre.

The release is 2.0.0.11
--
"We must look for consistency. Where there is a want of it we must suspect deception." - Sherlock Holmes]]> http://www.dslreports.com/forum/remark,19947585 Wed, 06 Feb 2008 20:14:24 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19947475 Epyon9283 : What the heck are you talking about?

What comes after the @ is the host name that firefox is going to connect to. If that host has a valid, trusted SSL cert you're not going to see a warning message. What are you spoofing?]]> http://www.dslreports.com/forum/remark,19947475 Wed, 06 Feb 2008 19:53:20 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19947428 WeenieBoy : Besides the wrong version with this "problem" What are you saying ? When I did it I got the certificate from the rogue host so how the heck is that wrong ? What does "legit" mean ?

I am confused about your post ]]> http://www.dslreports.com/forum/remark,19947428 Wed, 06 Feb 2008 19:44:41 EDT Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19945399 jansson_mark : Dude, the version is still 2.0.0.11.]]> http://www.dslreports.com/forum/remark,19945399 Wed, 06 Feb 2008 14:05:08 EDT Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws! http://www.dslreports.com/forum/remark,19944847 anon : Firefox seems to have trouble with defining the proper hostname when
requesting a ssl connection. I was able to trick Firefox in thinking
the hostname behind the at-sign is legit and the same as the URI that
requested an ssl connection, and this without a warning.

PoC:
You can add as much garbage between .com and the @ sign.

So what else can we do?

PoC:
ah heck we don't need that at all:
works fine also :)]]> http://www.dslreports.com/forum/remark,19944847 Wed, 06 Feb 2008 12:28:32 EDT