Exploit for DNS Cache Poisoning - RELEASED

Matthew Kaufman matthew at eeph.com
Wed Jul 23 22:53:30 CDT 2008


Skywing wrote:
> Bookmarks or favorites or whatever your browser of choice wishes to call them, for the https URLs.  That, or remember to type in the https:// prefix.
> 
> - S
> 

Which works great until you run into something like Washington Mutual 
(of which you have no doubt heard)...

http://www.wamu.com  redirects to
http://www.wamu.com/personal/default.asp

and

https://www.wamu.com *also* redirects to
http://www.wamu.com/personal.default.asp (!)

And yes, then you're supposed to trust that the page you've been served 
up will send the form submit with your username and password to the 
right place over https.

They do now have a link to 
https://online.wamu.com/IdentityManagement/Logon.aspx on that main page, 
but you have to look for it. But really, https://www.wamu.com should 
redirect to *that* in order for it to be safe for the 
slightly-knowledgeable-about-http-security.

Matthew Kaufman
matthew at eeph.com
http://www.matthew.at




More information about the NANOG mailing list