Dartmouth PKI Lab
Web Spoofing Demonstration
Last modified: 05/09/07 10:13:47 AM

(see also our countermeasures page)

E.Z. Ye, Y. Yuan, S.W. Smith. Web Spoofing Revisited: SSL and Beyond Computer Science Technical Report TR2001-417. (PDF).


Can users believe what their browsers tell them? Even sophisticated Web users decide whether or not to trust a server based on browser cues such as location bar information, SSL icons, SSL warnings, certificate information, and response time. In their seminal work on Web spoofing, Felten et al showed how, in 1996, a malicious server could forge some of these cues. However, this work used genuine SSL sessions, and Web technology has evolved much since 1996.

The Web has since become the pre-eminent medium for electronic service delivery to remote users, and the security of many commerce, government, and academic network applications critically rests on the assumption that users can authenticate the servers with which they interact. This situation raises the question: is the browser-user communication model today secure enough to warrant this assumption?

In this paper, we answer this question by systematically showing how a malicious server can forge every one of the above cues. Our work extends the prior results by examining contemporary browsers, and by forging all of the SSL information a client sees, including the very existence of an SSL session (thus providing a cautionary tale about the security of one of the most common applications of PKI). We have made these techniques available for public demonstration, because anything less than working code would not convincingly answer the question. We also discuss implications and potential countermeasures, both short-term and long-term.

Now, the demonstrations...

Misleading URLs...

Neither of the following two links are really CNN...

http://www.cnn.com:mainpage@2175456613/~sws/0/ (works from most platforms)

http://www.cnn.com:mainpage@ (works from most of the rest)


Please note that this is a work in progress!

To be susceptible, you must:

In either case, if you mouse-over the link below, you'll see "http://basement.dartmouth.edu" in the status line at the bottom of your screen.

If you click on it, and you're not susceptible, then you'll actually go there.

If you click on it, and you are susceptible, then we'll pop open a new window for you.

Click here to see a spoof, if you're configured correctly.

Click here to see the real basement site

Back to Dartmouth PKI Lab Maintained by Sean Smith, sws@cs.dartmouth.edu