Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jun 2015 15:52:45 +0200
From: Florian Weimer <fweimer@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Google Chrome Address Spoofing (Request For Comment)

On 06/30/2015 03:45 PM, Daniel Micay wrote:
> It does display a window with the oracle.com address, but I don't
> understand why you've got an ever increasing number of setTimeout events
> built in here. It's also unclear what you mean about click-to-verify. Is
> this bypassing a warning prompt by breaking it with a flood of requests?

I have not tried this, but here's some context:

Most browsers have issues where they do not update the URL bar when
content from a different is shown (i.e., the update happens to late), or
they show the new URL while still displaying old content (update too
late).  I've seen such discrepancies with Firefox, but I don't know if
it's still present in current versions.

If such bugs are present, freezing browsers while they are showing
inconsistent content (hence the DoS attempt) could lead the user to
attribute content to the incorrect site.

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.