Exploit for DNS Cache Poisoning - RELEASED

• Previous message (by thread): Exploit for DNS Cache Poisoning - RELEASED
• Next message (by thread): https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Skywing wrote:
> Bookmarks or favorites or whatever your browser of choice wishes to call them, for the https URLs.  That, or remember to type in the https:// prefix.
> 
> - S
> 

Which works great until you run into something like Washington Mutual 
(of which you have no doubt heard)...

http://www.wamu.com  redirects to
http://www.wamu.com/personal/default.asp

and

https://www.wamu.com *also* redirects to
http://www.wamu.com/personal.default.asp (!)

And yes, then you're supposed to trust that the page you've been served 
up will send the form submit with your username and password to the 
right place over https.

They do now have a link to 
https://online.wamu.com/IdentityManagement/Logon.aspx on that main page, 
but you have to look for it. But really, https://www.wamu.com should 
redirect to *that* in order for it to be safe for the 
slightly-knowledgeable-about-http-security.

Matthew Kaufman
matthew at eeph.com
http://www.matthew.at

• Previous message (by thread): Exploit for DNS Cache Poisoning - RELEASED
• Next message (by thread): https (was: Re: Exploit for DNS Cache Poisoning - RELEASED)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]