Mozilla Foundation Security Advisory 2005-14

SSL "secure site" indicator spoofing

Announced
February 24, 2005
Reporter
Mook, Doug Turner, Kohei Yoshino, M. Deaudelin
Risk
Moderate
Impact
Moderate
Products
Firefox, Mozilla Suite
Fixed in
  • Firefox 1.0.1
  • Mozilla Suite 1.7.6

Description

Various schemes were reported that could cause the "secure site" lock icon to appear and show certificate details for the wrong site. These could be used by phishers to make their spoofs look more legitimate, particularly in windows that hide the address bar showing the true location.

Mook reports that opening a spoof site that never finishes loading in a window displaying a secure site will continue to show the security indicators of the original site. Kohei Yoshino accomplishes the same result using document.write() to create the spoof in the secure window.

Doug Turner demonstrates that faked security indicators can be turned on for the current window contents by attempting to load content from a non-HTTP server that supports SSL (for example, a mail server). The SSL indicator was set based on the successful SSL handshake despite the failure to load the requested content.

Similarly M. Deaudelin demonstrates that a spoofer could use a URL that returns an HTTP 204 error to set both the SSL icon and update the location while still showing the original content, presumably a spoof.

Workaround

Do not browse trusted sites in the same session as untrusted sites. Do not use or trust links from untrusted sites that "helpfully" link to financial institutions or similar sites with high-value information.

References