Or if I set up my phishing web site to look like your login page and pull your pictures off of your legitimate site. That is not MITM per say, but I am still positioning myself between the 2 parties that want to communicate.
Thanks, Carl ----- Original Message ----- From: "Richard Frovarp" <[email protected]> To: [email protected] Sent: Thursday, October 16, 2014 2:00:07 PM Subject: Re: [cas-user] Has anybody done this? You don't MITM the SSL necessarily. If you can catch them accessing the page via plain text, you MITM that. I'm guessing most people use search engines to find what they want, but one kind of expects that "gmail.com" in the browser will go from the insecure page and redirect to the secure page. You MITM that first request, stop the redirect to secure and you have it. On 10/16/2014 12:48 PM, Andrew Morgan wrote: > Is there any possible protection if a person can MITM an SSL webpage? I > don't see how MFA would help either. > > Andy > > On Thu, 16 Oct 2014, Waldbieser, Carl wrote: > >> >> The idea is if MITM is possible, this scheme falls down. The MITM can just >> present the same pictures. >> >> If it is just someone who phished a password, it does make it harder, >> depending on how many pictures there are and how many guesses the attacker >> gets. >> >> Of course, the pictures could also be part of a phishing scheme. >> >> Thanks, >> Carl Waldbieser >> ITS System Programmer >> Lafayette College >> >> ----- Original Message ----- >> From: "Andrew Morgan" <[email protected]> >> To: [email protected] >> Sent: Thursday, October 16, 2014 1:32:53 PM >> Subject: Re: [cas-user] Has anybody done this? >> >> How would the attacker know which pictures with captions to present to the >> user? >> >> This sounds similar to a scheme my credit union used at one time. I could >> choose a picture, which they would display to me on the login page. If I >> didn't see the picture I chose, then I would know it wasn't the credit >> union's login page. It was a user-friendly way to verify the identity of >> the web site. >> >> Anyways, it still isn't a substitute for MFA because there really isn't a >> second factor involved. >> >> Andy >> >> On Thu, 16 Oct 2014, Nick Owen wrote: >> >>> As you may know, since this system uses no cryptography, it is >>> susceptible to MiTM attacks. There's nothing to stop the attacker >>> from showing the pictures and in turn replaying the choice for your >>> server. It's a waste of time, a hassle for the users, more software >>> to maintain and it creates a false sense of security. >>> >>> >>> On Thu, Oct 16, 2014 at 12:21 PM, Bryan Wooten <[email protected]> >>> wrote: >>>> I heard a rumor today that our Security Office wants to change how CAS >>>> works. >>>> >>>> >>>> >>>> The want the user’s to pre-select a picture, then add a caption to it. >>>> >>>> >>>> >>>> When the user enters their netid they will be presented with multiple >>>> pictures and must select the correct one before being prompted for their >>>> password. >>>> >>>> >>>> >>>> I know this can be done via web flow in the same way that MFA works, but >>>> this just seems so wrong. >>>> >>>> >>>> >>>> I’d rather force everyone to use MFA. >>>> >>>> >>>> >>>> Bryan Wooten >>>> >>>> >>>> >>>> UIT-Common Infrastructure Systems >>>> >>>> >>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >>> >>> -- >>> -- >>> Nick Owen >>> WiKID Systems, Inc. >>> http://www.wikidsystems.com >>> Commercial/Open Source Two-Factor Authentication >>> >>> -- >>> You are currently subscribed to [email protected] as: [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
