Re: HTTPS - How hard to decrypt?

From: David Vertie (verticalrave_at_hotmail.com)
Date: 07/10/03

  • Next message: Harlan Carvey: "RE: File permission scanner"
    To: security-basics@securityfocus.com, c_brauckmiller@lek.com
    Date: Thu, 10 Jul 2003 21:00:27 +0000
    
    

    I highly doubt sometimes that an attacker would waste time trying to decrypt
    an HTTPS stream, it would be better just to attack the databases that hold
    all this login information, socially engineer it out of a person, install a
    keylogger while nobody is looking, or shoulder surf somebody who types slow.

    And as for surfing on HTTPS, could you fill us in on what happens after the
    login session? I really want to know.

    I've never surfed at Starbucks before :)

    But Adam (below) is right, whatever encryption you use, if its not checked
    and updated, its bound to have flaws that can lend it to exploiting by a
    good cracker.

    >From: "Adam Newhard" <atnewhard@microstrain.com>
    >To: "Craig Brauckmiller"
    ><c_brauckmiller@lek.com>,<security-basics@securityfocus.com>
    >Subject: Re: HTTPS - How hard to decrypt?
    >Date: Thu, 10 Jul 2003 08:51:38 -0400
    >
    >Worst answer in the world...it all depends on how you've set it up. Yeah,
    >if you put ssl at 128 bit, your chances are at best on average someone
    >brute
    >forcing at 2^64 tries. If you stay well uptodate on ssl versions, patches,
    >and security "flaws", that's about the best you can do to seal holes.
    >However, always look into updated dependencies that ssl uses as from what i
    >can remember those are usually how people get in. The reason i say it all
    >depends on how you set it up is that (and correct me if i'm wrong b/c i
    >haven't looked into it for a while) there are known attacks that greatly
    >help someone break the ssl code such as the million message attack where
    >the
    >server will actually tell you or give you a pretty good idea of what the
    >error was in your transmission...of course you can and definitely should
    >turn these off.
    >
    >Intercepting a wireless transmission is obviously a thousand times easier
    >than intercepting wireless and much less obvious...i figure seeing someone
    >plugged into your switch sitting next to you makes it pretty obvious that
    >they're sitting around watching you. Honestly, if i was gonna do something
    >to use your net connection, i'd try to get all your wireless packets routed
    >in through me and just do a man in the middle attack so that, at least
    >while
    >you're there, i could get on.
    >
    >what happens after they login though...is that garbage still
    >encrypted...like are they just given a private key for wireless
    >transmissions or what?
    >
    >----------------------------------------------------
    >Adam Newhard
    >Microstrain, Inc.
    >If vegetarians eat vegetables, watch out for humanitarians
    >
    >----- Original Message -----
    >From: "Craig Brauckmiller" <c_brauckmiller@lek.com>
    >To: <security-basics@securityfocus.com>
    >Sent: Tuesday, July 08, 2003 1:33 PM
    >Subject: HTTPS - How hard to decrypt?
    >
    >
    > >
    > >
    > > We have begun rolling out wireless cards to our VP laptops. We have
    >also
    > > purchased T-Mobile Hotspot accounts for them to use in such places as
    > > Starbucks, American Admiral's Clubs, etc.
    > >
    > > >From my testing, the user name and password entry screen that TMobile
    > > requires you to fill in before they will allow you to do any type of
    > > surfing.
    > >
    > > The login page does use HTTPS, so I assume the user name and password
    >are
    > > encrypted when the user submits the page.
    > >
    > > How hard is it to decrypt SSL based traffic over a wireless link or
    >wired
    > > for that matter? Is it something trivial, or would it take some time to
    > > break? I just worry about a hacker hanging out at Starbucks and
    >snagging
    > > a user name and password for free internet access.
    > >
    > > Thanks
    > >
    > > Craig Brauckmiller
    > >
    > >
    >--------------------------------------------------------------------------
    >-
    > > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    >analysts!
    > > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    > > while InStat has confirmed Neoteris as the leader in marketshare.
    > >
    > > Find out why, and see how you can get plug-n-play secure remote access
    >in
    > > about an hour, with no client, server changes, or ongoing maintenance.
    > >
    > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    > >
    >--------------------------------------------------------------------------
    >--
    > >
    > >
    >
    >
    >
    >---------------------------------------------------------------------------
    >Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    >The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    >while InStat has confirmed Neoteris as the leader in marketshare.
    >
    >Find out why, and see how you can get plug-n-play secure remote access in
    >about an hour, with no client, server changes, or ongoing maintenance.
    >
    >Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    >----------------------------------------------------------------------------
    >

    _________________________________________________________________
    STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
    http://join.msn.com/?page=features/junkmail

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------


  • Next message: Harlan Carvey: "RE: File permission scanner"

    Relevant Pages

    • RE: Data erasing tool
      ... >Subject: Data erasing tool ... >Evaluating SSL VPNs' Consider NEOTERIS, ... >The Gartner Group just put Neoteris in the top of its Magic Quadrant, ... >in about an hour, with no client, server changes, or ongoing ...
      (Security-Basics)
    • RE: Questions about 192.168
      ... I've tried the technique mentioned to ping the broadcast address, ... This process can repeat for multiple hops. ... The attack details were these: ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Broadband usage statistics
      ... have ever seen anyone max out a cable connection. ... I don't believe that a single user with a cable modem or DSL ... >Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: IP address forging
      ... to send replies which all go to the real target of the attack, ... Since TCP requires a bidirectional connection, ... > Is it possible to forge my IP address? ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • RE: Broadband usage statistics
      ... | The Gartner Group just put Neoteris in the top of its Magic Quadrant, ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ... and see how you can get plug-n-play secure remote access in ...
      (Security-Basics)