Re: Secure Yahoo logins

From: Steve Bremer (steveb@nebcoinc.com)
Date: 08/28/02 

From: "Steve Bremer" <steveb@nebcoinc.com>
To: nick@ethicsdesign.com
Date: Wed, 28 Aug 2002 11:34:21 -0500

If you can perform a mitm attack, there is no doubt you can read the
traffic since you'll actually be decrypting it. However, performing the
mitm attack is the problem here. With the exception of the recent
browser flaws, it's not necessarily an easy attack.

You would have to find a way to get their browser to go to your
machine in the first place. This would require some sort of ARP
spoofing (in which case you would need to be on their local network
segment) or some sort of DNS diversion which would probably
require you to have control of the necessary DNS servers. At that
point, you'd also have to deal with the warning the user would
receive about an unsigned certificate being used (although this may
not be difficult since many people click through the warnings).

There may be other (easier) methods as well, but I'm not aware of
them.

Please enlighten me if I'm wrong.

Steve

On 28 Aug 2002 at 1:36, Nick Jacobsen wrote:

> I just love this... You are telling me that I can't sniff information
> from an SSL session using a mitm attack? the whole point is that you
> are in the middle... i.e. client connects to you and you coneect to
> server, therefore the SSL session with the server is between you and
> the server, not the client and the server... you simply pass
> everything on to the client as well, acting as the remote server...
> Try using ettercap, then tell me I am wrong...
>
>
> Nick J.
> Ethics Design
> nick@ethicsdesign.com
> ethics@netzero.net
>
> ----- Original Message -----
> From: "David Thiel" <lx@redundancy.redundancy.org>
> To: "Nick Jacobsen" <nick@ethicsdesign.com>
> Cc: <vuln-dev@securityfocus.com>
> Sent: Tuesday, August 27, 2002 9:06 PM
> Subject: Re: Secure Yahoo logins
>
>
> > On Tue, Aug 27, 2002 at 08:36:40PM -0700, Nick Jacobsen wrote:
> > > it supports SSH(Secure Telnet)
> >
> > SSH is not even remotely like "Secure Telnet".
> >
> > > and SSL(HTTPS) decryption and sniffing, as
> >
> > Only if you have the server's keypair.
> >
> > > I guess my main point is that if you are having your users log in
> > > using "secure log in" for the express reason of making it so their
> > > password
> cannot
> > > be sniffed, it is pointless, as anyone can STILL sniff it!
> >
> > There's a higher difficulty level involved with MITM attacks, and
> > measures can be taken to prevent and/or recognize such attacks. SSL
> > is not a panacea, but it's a useful layer of security. The fact
> > that MITM attacks exist is not proper rationale for abandoning the
> > use of encryption.
> >
>

Relevant Pages

  • RE: Secure Yahoo logins
    ... > require you to have control of the necessary DNS servers. ... > mitm attack is the problem here. ... >> server, therefore the SSL session with the server is between you and ...
    (Vuln-Dev)
  • RE: tcp/routing question...
    ... which means that a mitm attack would have to appear to be both the ... a server/app in the middle of the client/server. ... | if server b gets the data/information from 'a', ...
    (Fedora)
  • Re: SSL & Man In the Middle Attack
    ... > I was wondering if SSL was still vulnerable to man in the middle attack? ... > it possible for the middle man to intercept all messages from server to me ... certificates, allowing a MITM attack. ... you can set up the necessary packet routing - e.d DNS poisoning, ...
    (comp.security.misc)
  • Re: tcp/routing question...
    ... >time, the server needs to be able to do this, and send it to the client. ... For users of Fedora Core releases ... >bruce wrote: ... >| which means that a mitm attack would have to appear to be both the ...
    (Fedora)