From: “Frank O’Dwyer” <fod@brd.ie>
To: ssl-talk@netscape.com
Message Hash: dee8905463263f9c9c92dc64988898320697273989f4e9c3b7368cb1877002da
Message ID: <199701041259.MAA00180@brd.ie>
Reply To: N/A
UTC Datetime: 1997-01-04 13:00:56 UTC
Raw Date: Sat, 4 Jan 1997 05:00:56 -0800 (PST)
From: "Frank O'Dwyer" <fod@brd.ie>
Date: Sat, 4 Jan 1997 05:00:56 -0800 (PST)
To: ssl-talk@netscape.com
Subject: Hyperlink Spoofing: an attack on SSL server authentication
Message-ID: <199701041259.MAA00180@brd.ie>
MIME-Version: 1.0
Content-Type: text/plain
I've written up an attack on SSL server authentication at
http://www.iol.ie/~fod/sslpaper/sslpaper.htm
As far as I am aware, this attack hasn't been written about before.
It does not attack the SSL protocol or low-level cryptography, but works
at a higher level in order to persuade users to connect to fake servers,
with the browser nonetheless giving all the usual appearances of a
secure session.
Not much technical sophistication is required to carry off the attack,
and the impact is that a user may be persuaded to reveal information
such as credit card numbers, PINs, insurance or bank details, or other
private information to the fake server. Another risk is that the user
may download and run trojan Java applets or executables (e.g. banking
or database clients) from the fake server, believing them to be from the
real server and therefore safe.
I am posting this announcement on comp.security.misc, ssl-talk and on
cypherpunks. If you know of any other individuals who may be concerned
about this attack, but who do not read this group or those lists, please
forward this message to them.
Cheers,
Frank O'Dwyer
fod@brd.ie
Return to January 1997
Return to ““Frank O’Dwyer” <fod@brd.ie>”