From: "Frank O'Dwyer" <fod@brd.ie>
Date: Sat, 4 Jan 1997 07:54:21 -0800 (PST)
To: Adam Shostack <adam@homeport.org>
Subject: Re: Hyperlink Spoofing: an attack on SSL server authentication
In-Reply-To: <199701041504.KAA24308@homeport.org>
Message-ID: <199701041555.PAA00531@brd.ie>
MIME-Version: 1.0
Content-Type: text/plain



> Ed Felten of Princeton presented something similar at the Dimacs
> Network Threats workshop in November 96.

Jim Truitt just posted a link for their paper, which I've linked
off my page. Although it incorporates most of the same 
ground as my stuff, I think I have shown some additional
vulnerabilities and (more importantly) some new fixes.

Cheers,
Frank O'Dwyer.

> Frank O'Dwyer wrote:
> | 
> | I've written up an attack on SSL server authentication at
> |      
> | 	http://www.iol.ie/~fod/sslpaper/sslpaper.htm
> | 
> | As far as I am aware, this attack hasn't been written about before.
> | It does not attack the SSL protocol or low-level cryptography, but works
> | at a higher level in order to persuade users to connect to fake servers, 
> | with the browser nonetheless giving all the usual appearances of a 
> | secure session.
> 
> 
> -- 
> "It is seldom that liberty of any kind is lost all at once."
> 					               -Hume
> 
>