Re: HTTPS - How hard to decrypt?

From: Adam Newhard (atnewhard_at_microstrain.com)
Date: 07/10/03

  • Next message: Damian Menscher: "Re: Top 10 (secure) programs"
    To: "Craig Brauckmiller" <c_brauckmiller@lek.com>, <security-basics@securityfocus.com>
    Date: Thu, 10 Jul 2003 08:51:38 -0400
    
    

    Worst answer in the world...it all depends on how you've set it up. Yeah,
    if you put ssl at 128 bit, your chances are at best on average someone brute
    forcing at 2^64 tries. If you stay well uptodate on ssl versions, patches,
    and security "flaws", that's about the best you can do to seal holes.
    However, always look into updated dependencies that ssl uses as from what i
    can remember those are usually how people get in. The reason i say it all
    depends on how you set it up is that (and correct me if i'm wrong b/c i
    haven't looked into it for a while) there are known attacks that greatly
    help someone break the ssl code such as the million message attack where the
    server will actually tell you or give you a pretty good idea of what the
    error was in your transmission...of course you can and definitely should
    turn these off.

    Intercepting a wireless transmission is obviously a thousand times easier
    than intercepting wireless and much less obvious...i figure seeing someone
    plugged into your switch sitting next to you makes it pretty obvious that
    they're sitting around watching you. Honestly, if i was gonna do something
    to use your net connection, i'd try to get all your wireless packets routed
    in through me and just do a man in the middle attack so that, at least while
    you're there, i could get on.

    what happens after they login though...is that garbage still
    encrypted...like are they just given a private key for wireless
    transmissions or what?

    ----------------------------------------------------
    Adam Newhard
    Microstrain, Inc.
    If vegetarians eat vegetables, watch out for humanitarians

    ----- Original Message -----
    From: "Craig Brauckmiller" <c_brauckmiller@lek.com>
    To: <security-basics@securityfocus.com>
    Sent: Tuesday, July 08, 2003 1:33 PM
    Subject: HTTPS - How hard to decrypt?

    >
    >
    > We have begun rolling out wireless cards to our VP laptops. We have also
    > purchased T-Mobile Hotspot accounts for them to use in such places as
    > Starbucks, American Admiral's Clubs, etc.
    >
    > >From my testing, the user name and password entry screen that TMobile
    > requires you to fill in before they will allow you to do any type of
    > surfing.
    >
    > The login page does use HTTPS, so I assume the user name and password are
    > encrypted when the user submits the page.
    >
    > How hard is it to decrypt SSL based traffic over a wireless link or wired
    > for that matter? Is it something trivial, or would it take some time to
    > break? I just worry about a hacker hanging out at Starbucks and snagging
    > a user name and password for free internet access.
    >
    > Thanks
    >
    > Craig Brauckmiller
    >
    > --------------------------------------------------------------------------
    -
    > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > while InStat has confirmed Neoteris as the leader in marketshare.
    >
    > Find out why, and see how you can get plug-n-play secure remote access in
    > about an hour, with no client, server changes, or ongoing maintenance.
    >
    > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > --------------------------------------------------------------------------

    --
    >
    >
    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------
    

  • Next message: Damian Menscher: "Re: Top 10 (secure) programs"