(no subject)

[theweaselking]

If you're not using Firefox 3.5 then you can't trust that a signed SSL certificate that claims to be your bank's is actually your bank's.

Requires DNS poisoning or a bad Hosts file or router-level control of your traffic, but with any of those, you won't be able to tell paypal.com from phish_hacker.cn.

Edit: Firefox 3.0.13 also fixes the bug. It was broken at article-time, fixed 3 days later.

Comments

[endotoxin.livejournal.com]

Looks like this bug was patched by Mozilla on August 1st. Hooray 3-day patch!

[theweaselking.livejournal.com]

Nice.

[theweaselking.livejournal.com]

Well, yes.

But with those things, you to go https://www.paypal.com/ and you get seamlessly redirected, with your addressbar intact.

This is a *completely undetectable attack* when the attacker has hosts, router, or dns.

[kowh.livejournal.com]

I still don't know if any of the other browsers have been patched yet. When I last looked none of their bugtrackers/security alerts even acknowledged this hole, let alone said it was fixed.

[ryusen.livejournal.com]

it's just a shame that FF 3.5 has a huge memory leak that's still not fixed.

[theweaselking.livejournal.com]

I haven't had any problems with that - it's stable for *weeks* at a time, for me. But, then, I figure 500MB of RAM in a browser with 2 windows and 80 tabs open is reasonable.

[ryusen.livejournal.com]

ok well not a memory leak, but i've noticed if i leave it running (even with no extensions enabled) after some time it will be eating up 99% CPU