Re: [fw-wiz] Security of HTTPS
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 11/27/04
- Previous message: Paul D. Robertson: "RE: [fw-wiz] Security of HTTPS"
- In reply to: Servie Platon: "RE: [fw-wiz] Security of HTTPS"
- Next in thread: lordchariot_at_earthlink.net: "RE: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Servie Platon" <servie_tech@yahoo.com>, firewall-wizards@honor.icsalabs.com Date: Sat, 27 Nov 2004 16:16:44 -0000
Hello
You may wish to look at ettercap (not sure if it's been mentioned so far)
from ettercap.sourceforge.net. There is some useful info in the FAQs, as
well as in the man pages. Installing and using the tool (on *nix/*bsd/mac
os x) will allow you to perform HTTPS MITM attacks between local users and
remote web sites; although it would also be possible to perform the same
against local web sites and remote users; just not remote users and remote
web sites (at least not without some GRE tunnels...).
The SSL MITM attacks in ettercap work by modifying and then signing the
server certificate. The user generally gets asked whether they'd like to
accept a certificate that is in date, relates to the right site, but is
signed by a signing organisation they "haven't yet chosen to trust"
(paraphrased). Click 'no' don't get your email (banking, porn, whatever);
click 'yes' do get your email (etc). It's quite obvious to guess what
most users do.
The amusing side of this MITM attack is that if you register your
certificate with a trusted CA (get it signed) then the newly signed server
certificate will be trusted automatically IIRC. I believe it is possible
to pay CAs to sign certificates for you. On the underground I would
expect a handful of valid certificates to be circulating for this purpose.
So, SSL/HTTPS is not necessarily secure, but then practically nothing is.
As always, you need to take a risk management decision.
Kev
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi folks,
>
> I'm so sorry for the messed up email before, my
> apologies.
>
> I am not the original poster to this thread but after
> reading the white paper on the SANS web site made me a
> little bit weary of the possibilities which I am
> posting my question based on the topic of MITM attack.
>
> 1. How does the cracker hone in to attack a preferred
> network of choice? Do they just port scan the internet
> and once it finds one would do the MITM and pose as a
> legit web site?
>
> 2. Do they pose as legit web sites to unsuspecting
> users, or hiding in the guise of a famous web site but
> in fact doing a MITM attack?
>
> Most people now adays, make online transactions such
> as buying, selling and other e-commerce type of thing.
> After reading the whitepaper makes me think twice if
> it is really safe using HTTPS despite the guarantees
> being stated by such sites?
>
> Any tips, suggestions, as well as explanations as to
> how this is done and how to avoid such a thing from
> occuring would mean a lot so that we could limit the
> chances of being victimized in the future.
>
> Thanks in advance.
>
> Sincerely,
> Servie
>
> - --- Jean-Denis Gorin <jdg_cnce2004@yahoo.fr> wrote:
>
>>
>> Lot of papers about SSL Man In the Middle attack.
>> For
>> example, on the SANS web site:
>> http://www.sans.org/rr/whitepapers/threats/480.php
>>
>> Some kind of proxies use this to enable content
>> filtering of HTTPS traffic...
>>
>> JDG
>>
>> From Alex Bihlmaier
>> >
>> > Good Morning.
>> >
>> >
>> >
>> > I am curious how strong the security of https can
>> be.
>> > Is there some possibility of a MITM attack?
>> > Are there any papers out there outlining this
>> aspect
>> > of security?
>> >
>> >
>> >
>> > //thalunil
>> >
>>
>>
>>
>>
>>
>>
>> Vous manquez d’espace pour stocker vos mails ?
>> Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
>> Créez votre Yahoo! Mail sur
>> http://fr.benefits.yahoo.com/
>>
>> Le nouveau Yahoo! Messenger est arrivé ! Découvrez
>> toutes les nouveautés pour dialoguer instantanément
>> avec vos amis. A télécharger gratuitement sur
>> http://fr.messenger.yahoo.com
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>>
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.3.92 (MingW32) - GPGshell v3.23
>
> iD8DBQFBp8VuyQgrZePdA38RAhCyAJ9eN2yeoM/hccuBm7xFPI82jIY6KgCfedzA
> KaKBtRpn4XXtSzj4Dkq2L70=
> =dZR/
> -----END PGP SIGNATURE-----
> Hi folks,
>
> I'm so sorry for the messed up email before, my
> apologies.
>
> I am not the original poster to this thread but after
> reading the white paper on the SANS web site made me a
> little bit weary of the possibilities which I am
> posting my question based on the topic of MITM attack.
>
> 1. How does the cracker hone in to attack a preferred
> network of choice? Do they just port scan the internet
> and once it finds one would do the MITM and pose as a
> legit web site?
>
> 2. Do they pose as legit web sites to unsuspecting
> users, or hiding in the guise of a famous web site but
> in fact doing a MITM attack?
>
> Most people now adays, make online transactions such
> as buying, selling and other e-commerce type of thing.
> After reading the whitepaper makes me think twice if
> it is really safe using HTTPS despite the guarantees
> being stated by such sites?
>
> Any tips, suggestions, as well as explanations as to
> how this is done and how to avoid such a thing from
> occuring would mean a lot so that we could limit the
> chances of being victimized in the future.
>
> Thanks in advance.
>
> Sincerely,
> Servie
>
> --- Jean-Denis Gorin <jdg_cnce2004@yahoo.fr> wrote:
>
>>
>> Lot of papers about SSL Man In the Middle attack.
>> For
>> example, on the SANS web site:
>> http://www.sans.org/rr/whitepapers/threats/480.php
>>
>> Some kind of proxies use this to enable content
>> filtering of HTTPS traffic...
>>
>> JDG
>>
>> From Alex Bihlmaier
>> >
>> > Good Morning.
>> >
>> >
>> >
>> > I am curious how strong the security of https can
>> be.
>> > Is there some possibility of a MITM attack?
>> > Are there any papers out there outlining this
>> aspect
>> > of security?
>> >
>> >
>> >
>> > //thalunil
>> >
>>
>>
>>
>>
>>
>>
>> Vous manquez d’espace pour stocker vos mails ?
>> Yahoo! Mail vous offre GRATUITEMENT 100 Mo !
>> Créez votre Yahoo! Mail sur
>> http://fr.benefits.yahoo.com/
>>
>> Le nouveau Yahoo! Messenger est arrivé ! Découvrez
>> toutes les nouveautés pour dialoguer instantanément
>> avec vos amis. A télécharger gratuitement sur
>> http://fr.messenger.yahoo.com
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>>
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Paul D. Robertson: "RE: [fw-wiz] Security of HTTPS"
- In reply to: Servie Platon: "RE: [fw-wiz] Security of HTTPS"
- Next in thread: lordchariot_at_earthlink.net: "RE: [fw-wiz] Security of HTTPS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
