PDA

Bekijk Volledige Versie : Phishing - feature or flaw



Secure Science Corporation Bugtraq
25/06/05, 22:55
Hi,

Regarding certain vulnerabilities that are being discovered such as
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test

Are these really features, or are they flaws now because of the phishing
threat vector. Originally javascript/DHTML/DOM is pretty powerful and
can do a lot of nasty stuff if someone were inclined. But phishing has
caused us to take a look at the once dubbed features of DHTML, and
possibly put responsibility onto the browser vendors for fixing these
now dubbed "flaws".

For example, is this a flaw -
https://slam.securescience.com/threats/mixed.html (some mozilla browsers
don't like Thawte yet so you will get a warning). This is a standard
frame with the URL domain as https://slam.securescience.com, but the
body is https://www.bankone.com - take a look at the lock icon - it will
only verify the url domain - is that a browser issue, a CA issue, or a
feature?

As we all have seen, one can use DHTML to create a popup and replace a
mimicked address bar if one were so incline (dirty rendition at
http://ip.securescience.net/exploits/ (popup blockers off and it was
designed for IE). Feature, or flaw?


--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!

David A. Wheeler
27/06/05, 21:15
Secure Science Corporation Bugtraq <bugtraq@securescience.net> said:
> Regarding certain vulnerabilities that are being discovered such as
> http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test
>
> Are these really features, or are they flaws now because of the phishing
> threat vector. Originally javascript/DHTML/DOM is pretty powerful and
> can do a lot of nasty stuff if someone were inclined. But phishing has
> caused us to take a look at the once dubbed features of DHTML, and
> possibly put responsibility onto the browser vendors for fixing these
> now dubbed "flaws".
>
> For example, is this a flaw -
> https://slam.securescience.com/threats/mixed.html

As has been often noted, "without a specification, the behavior
of a system cannot be wrong, it can only be surprising".

In the long term, it would be good idea for the
browser makers to get together, agree on, and _write down_ what
security properties users can count on in their browsers. E.G., what
threats are they designed to counter? What are their security
objectives & requirements? What countermeasures are the bare minimum?
Then, if a browser did or didn't do something related to
security, people could appeal to that "minimum standard".
If Microsoft (IE), Mozilla (Firefox), Opera, Apple (Safari),
and KDE (Konqueror) agreed on something, it'd probably go somewhere.
That would at least create some sort of basic "floor" people
could more-or-less count on.

But right now, dancing on the head of the pin of whether something
is a "flaw" is pointless. Browsers are widely used by
ordinary users who simply don't understand this "computer stuff"..
and they won't gain that understanding tomorrow, either.
So, if an ordinary low-knowledge user can be easily tricked into
dangerous behavior by the brower's actions, AND there is a reasonable
countermeasure that the browser could deploy, THEN the browser
should incorporate such a protective measure. Yes,
'easily' and 'reasonable' and other terms are really ambiguous,
but since there's no real security specification for browsers,
that's where we are at right now. (Yes, I'm fully aware that
these naive users wouldn't read a spec.)


--- David A. Wheeler