Document Type

Technical Report

Publication Date


Technical Report Number



The Web is currently the pre-eminent medium for electronic service delivery to remote users. As a consequence, authentication of servers is more important than ever. Even sophisticated users base their decision whether or not to trust a site on browser cues---such as location bar information, SSL icons, SSL warnings, certificate information, response time, etc. In their seminal work on web spoofing, Felten et al showed how a malicious server could forge some of these cues---but using approaches that are no longer reproducible. However, subsequent evolution of Web tools has not only patched security holes---it has also added new technology to make pages more interactive and vivid. In this paper, we explore the feasibility of web spoofing using this new technology---and we show how, in many cases, every one of the above cues can be forged. In particular, we show how a malicious server can forge all the SSL information a client sees---thus providing a cautionary tale about the security of one of the most common applications of PKI. We stress that these techniques have been implemented, and are available for public demonstration.