Firefox URI Confusion.

Publicated on : 1201978348
*UPDATE*

I talked with Mozilla about the issue, and it is not a weakness in SSL of any kind. The issue can only lead to confusion to Firefox users, I updated my post because I also made a mistake by not verifying the processes beneath it.

Firefox seems to have trouble with defining the proper hostname when requesting a ssl connection. I was able to trick Firefox in thinking the hostname behind the at-sign is legit and the same as the URI that requested an ssl connection, and this without a warning. Since it can fail numerous times, Firefox has a nice feature that asks oblivious surfers: Try again? at that moment the full rogue host has been localized in the url-bar. That surely leverages the attack scenario and gives attackers a shot in tricking surfers to perform dangerous actions like installing executables or just spoofing the target and phish for it. I also have the idea this is just the top of the Mozilla ice-berg, another field to explore.