Confirmed on emacs on freebsd running on an alpha. J
On Mon, 04 Feb 2008 18:49:59 -0500 Larry Seltzer <[EMAIL PROTECTED]> wrote: >I get this same warning on FF 3.0 beta 2 on Vista. > >Larry Seltzer >eWEEK.com Security Center Editor >http://security.eweek.com/ >http://blogs.pcmag.com/securitywatch/ >Contributing Editor, PC Magazine >[EMAIL PROTECTED] > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >steve >menard >Sent: Monday, February 04, 2008 3:36 PM >To: [email protected] >Cc: carl hardwick >Subject: Re: [Full-disclosure] Firefox 2.0.0.12 SSL Spoofing and >Domain >Guessing vulnerabilities > >I get a warning on 2.0.0.11 Linux Ubuntu > >You are about to log into the site "google" with the username >"[EMAIL PROTECTED]", but the website does not >require >authentication. this may be an attempt to trick you Is "google" >the site >you want to visit.? > >is this a 2.0.0.12 issue? >Steve > >carl hardwick wrote: >> Firefox seems to have trouble with defining the proper hostname >when >> requesting a ssl connection. I was able to trick Firefox in >thinking >> the hostname behind the at-sign is legit and the same as the URI >that >> requested an ssl connection, and this without a warning. >> >> PoC: https://[EMAIL PROTECTED] >> >> You can add as much garbage between .com and the @ sign. >> >> So what else can we do? >> >> PoC: >> [EMAIL PROTECTED] >> [EMAIL PROTECTED] >> >> ah heck we don't need that at all: >> >www.gmail.comxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@ >hot >> mail >> >> works fine also :) >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html -- Click to shop and save on brand name copiers today. http://tagline.hushmail.com/fc/Ioyw6h4efL2XHRwVibUkjF3PhLMcf2jUicxXpiVPZLGbWnRIZ6Onn6/ >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
