%T Web Spoofing 2001
%A Yougu Yuan
%A Eileen Zishuang Ye
%A Sean W. Smith
%R Technical Report TR2001-409
%I Dartmouth College, Computer Science
%C Hanover, NH
%D July 2001
%U http://www.cs.dartmouth.edu/reports/TR2001-409.ps.Z
%X
   The Web is currently the pre-eminent medium for electronic
 service delivery to remote users. As a consequence,
 authentication of servers is more important than ever. Even
 sophisticated users base their decision whether or not to trust a
 site on browser cues---such as location bar information, SSL
 icons, SSL warnings, certificate information, response time, etc.
 
   In their seminal work on web spoofing, Felten et al showed how a
 malicious server could forge some of these cues---but using
 approaches that are no longer reproducible.  However, subsequent
 evolution of Web tools has not only patched security holes---it
 has also added new technology to make pages more interactive and
 vivid. In this paper, we explore the feasibility of web spoofing
 using this new technology---and we show how, in many cases, every
 one of the above cues can be forged.
 
   In particular, we show how a malicious server can forge all the
 SSL information a client sees---thus providing a cautionary tale
 about the security of one of the most common applications of PKI.
 
   We stress that these techniques have been implemented, and are
 available for public demonstration.