Red Hat Bugzilla – Bug 149939
CAN-2005-0593 SSL "secure site" indicator spoofing
Last modified: 2007-11-30 17:07:16 EST
Various schemes were reported that could cause the "secure site" lock icon to
appear and show certificate details for the wrong site. These could be used by
phishers to make their spoofs look more legitimate, particularly in windows that
hide the address bar showing the true location.
Mook reports that opening a spoof site that never finishes loading in a window
displaying a secure site will continue to show the security indicators of the
original site. Kohei Yoshino accomplishes the same result using document.write()
to create the spoof in the secure window.
Doug Turner demonstrates that faked security indicators can be turned on for the
current window contents by attempting to load content from a non-HTTP server
that supports SSL (for example, a mail server). The SSL indicator was set based
on the successful SSL handshake despite the failure to load the requested content.
Similarly M. Deaudelin demonstrates that a spoofer could use a URL that returns
an HTTP 204 error to set both the SSL icon and update the location while still
showing the original content, presumably a spoof.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.