- Edward W. Felten
- Dirk Balfanz
- Drew Dean
- Dan S. Wallach
- This paper describes an Internet security attack that could endanger
the privacy of World Wide Web users and the integrity of their data.
The attack can be carried out on today's systems, endangering users
of the most common Web browsers, including Netscape Navigator and
Microsoft Internet Explorer. Web spoofing allows an attacker to
create a "shadow copy" of the entire World Wide Web. Accesses to the
shadow Web are funneled through the attacker's machine, allowing
the attacker to monitor all of the victim's activities including
any passwords or account numbers the victim enters. The attacker can
also cause false or misleading data to be sent to Web servers in the
victim's name, or to the victim in the name of any Web server. In
short, the attacker observes and controls everything the victim does
on the Web. We have implemented a demonstration version of this
- 20th National Information Systems Security Conference (Baltimore, Maryland), October, 1997.
- Postscript (269k)
GZip'ed Postscript (61k)
PDF (Adobe Acrobat 2.1) (79k)
Microsoft Word '95 (525k)
- See Also
- Web Spoofing: An Internet Con Game. Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach, Technical Report 540-96, Department of Computer Science, Princeton University, revised February 1997 (Original version: December 1996).
This report is written for a general audience.