Date: Tue, 30 Jun 2015 18:29:07 +0200 From: 0pc0deFR <0pc0defr@...il.com> To: OSS Securty <oss-security@...ts.openwall.com> Subject: Re: Google Chrome Address Spoofing (Request For Comment) Work on Google Chrome Ubuntu. -- Cordialement, Kévin FALCOZ alias 0pc0deFR - Consultant Expert WordPress - http://wordpress-expertise.fr -- Regards, Kévin FALCOZ aka 0pc0deFR - WordPress Expert Consultant - http://wordpress-expertise.fr 2015-06-30 16:04 GMT+02:00 Daniel Micay <danielmicay@...il.com>: > On 30/06/15 09:52 AM, Florian Weimer wrote: > > On 06/30/2015 03:45 PM, Daniel Micay wrote: > >> It does display a window with the oracle.com address, but I don't > >> understand why you've got an ever increasing number of setTimeout events > >> built in here. It's also unclear what you mean about click-to-verify. Is > >> this bypassing a warning prompt by breaking it with a flood of requests? > > > > I have not tried this, but here's some context: > > > > Most browsers have issues where they do not update the URL bar when > > content from a different is shown (i.e., the update happens to late), or > > they show the new URL while still displaying old content (update too > > late). I've seen such discrepancies with Firefox, but I don't know if > > it's still present in current versions. > > > > If such bugs are present, freezing browsers while they are showing > > inconsistent content (hence the DoS attempt) could lead the user to > > attribute content to the incorrect site. > > Ah, that makes sense. It seems to depend on a race condition so it makes > sense that it can't always be replicated. I've tried it a few times and > it fails about as often as it works. I have a feeling that the proof of > concept was the whole issue report and it just happened to fail for > whoever tested it. > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ