You don't MITM the SSL necessarily. If you can catch them accessing the
page via plain text, you MITM that. I'm guessing most people use search
engines to find what they want, but one kind of expects that "gmail.com"
in the browser will go from the insecure page and redirect to the secure
page. You MITM that first request, stop the redirect to secure and you
have it.
On 10/16/2014 12:48 PM, Andrew Morgan wrote:
Is there any possible protection if a person can MITM an SSL webpage? I
don't see how MFA would help either.
Andy
On Thu, 16 Oct 2014, Waldbieser, Carl wrote:
The idea is if MITM is possible, this scheme falls down. The MITM can just
present the same pictures.
If it is just someone who phished a password, it does make it harder, depending
on how many pictures there are and how many guesses the attacker gets.
Of course, the pictures could also be part of a phishing scheme.
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
----- Original Message -----
From: "Andrew Morgan" <[email protected]>
To: [email protected]
Sent: Thursday, October 16, 2014 1:32:53 PM
Subject: Re: [cas-user] Has anybody done this?
How would the attacker know which pictures with captions to present to the
user?
This sounds similar to a scheme my credit union used at one time. I could
choose a picture, which they would display to me on the login page. If I
didn't see the picture I chose, then I would know it wasn't the credit
union's login page. It was a user-friendly way to verify the identity of
the web site.
Anyways, it still isn't a substitute for MFA because there really isn't a
second factor involved.
Andy
On Thu, 16 Oct 2014, Nick Owen wrote:
As you may know, since this system uses no cryptography, it is
susceptible to MiTM attacks. There's nothing to stop the attacker
from showing the pictures and in turn replaying the choice for your
server. It's a waste of time, a hassle for the users, more software
to maintain and it creates a false sense of security.
On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]> wrote:
I heard a rumor today that our Security Office wants to change how CAS
works.
The want the user’s to pre-select a picture, then add a caption to it.
When the user enters their netid they will be presented with multiple
pictures and must select the correct one before being prompted for their
password.
I know this can be done via web flow in the same way that MFA works, but
this just seems so wrong.
I’d rather force everyone to use MFA.
Bryan Wooten
UIT-Common Infrastructure Systems
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
