Date: Tue, 30 Jun 2015 10:04:11 -0400 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Google Chrome Address Spoofing (Request For Comment) On 30/06/15 09:52 AM, Florian Weimer wrote: > On 06/30/2015 03:45 PM, Daniel Micay wrote: >> It does display a window with the oracle.com address, but I don't >> understand why you've got an ever increasing number of setTimeout events >> built in here. It's also unclear what you mean about click-to-verify. Is >> this bypassing a warning prompt by breaking it with a flood of requests? > > I have not tried this, but here's some context: > > Most browsers have issues where they do not update the URL bar when > content from a different is shown (i.e., the update happens to late), or > they show the new URL while still displaying old content (update too > late). I've seen such discrepancies with Firefox, but I don't know if > it's still present in current versions. > > If such bugs are present, freezing browsers while they are showing > inconsistent content (hence the DoS attempt) could lead the user to > attribute content to the incorrect site. Ah, that makes sense. It seems to depend on a race condition so it makes sense that it can't always be replicated. I've tried it a few times and it fails about as often as it works. I have a feeling that the proof of concept was the whole issue report and it just happened to fail for whoever tested it. Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ