Re: Secure Yahoo logins
From: David Thiel (lx@redundancy.redundancy.org)Date: 08/28/02
- Previous message: Chris Caydes: "Re: Secure Yahoo logins"
- In reply to: Nick Jacobsen: "Re: Secure Yahoo logins"
- Next in thread: Steve Bremer: "Re: Secure Yahoo logins"
- Next in thread: Alan McCaig: "Re: Secure Yahoo logins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Aug 2002 10:05:27 -0700 From: David Thiel <lx@redundancy.redundancy.org> To: Nick Jacobsen <nick@ethicsdesign.com>
On Wed, Aug 28, 2002 at 01:36:06AM -0700, Nick Jacobsen wrote:
> I just love this... You are telling me that I can't sniff information from
> an SSL session using a mitm attack? the whole point is that you are in the
> middle...
I've used ettercap, I'm familiar with how the attacks work - to me,
what you seemed to be saying was that it was possible to decrypt
SSL off of the wire. So yes, you're correct that you can use
ettercap for an HTTP/SSL MITM attack, but the fact remains that
saying that using SSL for a login session is "pointless" is just
not accurate.
While an unencrypted connection can be sniffed at places other than
the local lan, an SSL-ified one would require DNS cache poisoning
to mount a MITM attack. This is easy to defend against, and there's
also the fact that the end user will get a certificate warning in
this kind of situation(which they'll probably ignore, but this is
beside the point), whether the attack is local or remote. SSL is
another layer of security, which, while not bulletproof, is a Good
Thing.
Cheers,
David
- Previous message: Chris Caydes: "Re: Secure Yahoo logins"
- In reply to: Nick Jacobsen: "Re: Secure Yahoo logins"
- Next in thread: Steve Bremer: "Re: Secure Yahoo logins"
- Next in thread: Alan McCaig: "Re: Secure Yahoo logins"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
