undefined | Better HN

0 pointsreginold4y ago0 comments

> (For example, if you had some sort of "signed iframe", the page would probably find a way to show the part from twitter that says "verified" but cover up the part that it's supposed to be actually verifying with something else).

This is the part where I imagined having a custom client side image. That way the server doesn't know what the "verified" image actually looks like. Could be a picture of my face, for example.

0 comments

lmm4y ago

> That way the server doesn't know what the "verified" image actually looks like.

Right, but it doesn't need to - it just has to construct a page that has the "verified" image on the left and the malicious URL on the right. Which is very difficult to rule out.

reginoldOP4y ago

How would it construct a page that has the verified image if it doesn't know what the image looks like?

lmm4y ago

It would construct a page that includes a part that's genuinely verified (so the browser displays the verified image) and a part that's malicious, but arrange it so that it looks like the verification goes with the malicious part.

j / k navigate · click thread line to collapse

0 pointsreginold4y ago0 comments

This is the part where I imagined having a custom client side image. That way the server doesn't know what the "verified" image actually looks like. Could be a picture of my face, for example.

0 comments

lmm4y ago

> That way the server doesn't know what the "verified" image actually looks like.

Right, but it doesn't need to - it just has to construct a page that has the "verified" image on the left and the malicious URL on the right. Which is very difficult to rule out.

reginoldOP4y ago

How would it construct a page that has the verified image if it doesn't know what the image looks like?

lmm4y ago

j / k navigate · click thread line to collapse