RE: Netscape's use of SSL Tyler Close (tyler@waterken.com)
Sun, 7 Nov 1999 11:54:24 -0500

Ben Laurie wrote:
> Out of shear preversity I often check the name on
> the cert. Once I discovered that way that the
> vendor had hired Yahoo to do their online web
> retailing. It was Yahoo's cert!

Was it also Yahoo's site?

I've spent some time reading the available docs at Netscape and I thought that they also notify the user if the site name on the cert does not match the site name in the requested URL.

> It is tedious to check the cert on each URL
> reference (about 10 sec when you rember exactly
> how). Commonly the "name on the cert" is the
> domain name from the URL. I have seen exceptions.
> The danger for not checking is DNS spoofing that
> directs the URL reference to a site with a cert,
> but not the one you planned to visit. The bogus
> site learms the swiss nmber and the jig is up.

The purpose of the PKI is to ensure that the bogus site does not have a cert for the victim site. I think your argument presumes failure of the PKI without stating it. I am not naive enough to believe that the PKI is infallible, but it's an important enough structure that presumption of failure needs to be stated.

If the site does not have a cert for the site requested in the URL, then the site should never see the URL. SSL authentication happens before the HTTP protocol even starts.

> Another thing is that JavaScript "code" is able
> to read the stack (History) that defines the
> state of the browser's back button. If a
> protected page holds an URL to a hostile page
> with such JavaScript, the hostile JavaScript can
> learn the swiss number for the protected page.
> The is only a pitfall but it is very serious.
> O'Reilly "JavaScript" second edition was
> published before Netscape 4 and describes a
> tentative fix for this. (See section 20.4.) I am
> very suspicious.

I've found Netscape documentation to be very difficult to get information from. The Microsoft Javascript documentation is superb.

The following is taken from:
http://msdn.microsoft.com/workshop/Author/dhtml/reference/ob jects/obj_history.asp

---BEGIN EXERPT----
For security reasons, the history object does not expose the actual URLs in the browser history. It does allow navigation through the browser history by exposing the back, forward, and go methods. A particular document in the browser history can be identified as an index relative to the current page. For example, specifying -1 as a parameter for the go method is the equivalent of clicking the Back button.

This object is available in script as of Microsoft® Internet Explorer 3.0.
---END EXERPT----

Exposing the contents of secure pages to JavaScript code from another site would be a gross security oversight for any secure web application. So far, I have found that gross security oversights have either been taken care of or do not exist.

Tyler