[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

To: loconet@xxxxxxxxx
Subject: Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing
From: Aviv Raff <avivra@xxxxxxxxx>
Date: Sat, 31 Jul 2004 17:59:50 +0200

> Has anyone tried the proof of concept with a real ssl cert and get it 
> working? 

Yep. 
Try here: http://avivra.europe.webmatrixhosting.net/moz/certspoof1.html

> I just tried it using two different ssl urls and the page only redirected me 
> to the 
> proper site. I did not see the output generated by document.writeln even 
> after 
> viewing the source.

It works just fine with paypal.

> Can anyone confirm this? 

Confirmed. Using FireFox 0.9.2 on XP and Win2k3.

> I haven't seen any mention of it on bugzilla either.

It's probably checked as a security issue, therefore it's not public.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing
  - From: Alain Crespo

Prev by Date: RE: [Full-Disclosure] FullDisclosure: CWS removal tools
Next by Date: Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing
Previous by thread: RE: [Full-Disclosure] FullDisclosure: CWS removal tools
Next by thread: Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing
Index(es):
- Date
- Thread