From: "Frank O'Dwyer" <fod@brd.ie>
Date: Sat, 4 Jan 1997 05:00:56 -0800 (PST)
To: ssl-talk@netscape.com
Subject: Hyperlink Spoofing: an attack on SSL server authentication
Message-ID: <199701041259.MAA00180@brd.ie>
MIME-Version: 1.0
Content-Type: text/plain



I've written up an attack on SSL server authentication at
     
	http://www.iol.ie/~fod/sslpaper/sslpaper.htm

As far as I am aware, this attack hasn't been written about before.
It does not attack the SSL protocol or low-level cryptography, but works
at a higher level in order to persuade users to connect to fake servers, 
with the browser nonetheless giving all the usual appearances of a 
secure session.

Not much technical sophistication is required to carry off the attack,
and the impact is that a user may be persuaded to reveal information
such as credit card numbers, PINs, insurance or bank details, or other
private information to the fake server. Another risk is that the user
may download and run trojan Java applets or executables (e.g. banking 
or database clients) from the fake server, believing them to be from the 
real server and therefore safe. 

I am posting this announcement on comp.security.misc, ssl-talk and on 
cypherpunks. If you know of any other individuals who may be concerned
about this attack, but who do not read this group or those lists, please
forward this message to them.

Cheers,
Frank O'Dwyer
fod@brd.ie