[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Hyperlink Spoofing: an attack on SSL server authentication
I've written up an attack on SSL server authentication at
http://www.iol.ie/~fod/sslpaper/sslpaper.htm
As far as I am aware, this attack hasn't been written about before.
It does not attack the SSL protocol or low-level cryptography, but works
at a higher level in order to persuade users to connect to fake servers,
with the browser nonetheless giving all the usual appearances of a
secure session.
Not much technical sophistication is required to carry off the attack,
and the impact is that a user may be persuaded to reveal information
such as credit card numbers, PINs, insurance or bank details, or other
private information to the fake server. Another risk is that the user
may download and run trojan Java applets or executables (e.g. banking
or database clients) from the fake server, believing them to be from the
real server and therefore safe.
I am posting this announcement on comp.security.misc, ssl-talk and on
cypherpunks. If you know of any other individuals who may be concerned
about this attack, but who do not read this group or those lists, please
forward this message to them.
Cheers,
Frank O'Dwyer
[email protected]