Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second Ed.)

Thu, 7 Oct 1999 05:07:56 -0700 

At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote:


> Title: Special Kurt's Closet: Is SSL dead?
> Resource Type: News letter
> Date: Semptember 30, 1999
> Source: Security Portal
> Author: Kurt Seifried
> Keywords: INTERNET/WWW    ,SECURITY ISSUES ,ONLINE SHOPPING ,SSL
>
> Abstract/Summary:
> The title is a bit scary, but I wanted to get your attention 
>(worked, didn't it?). Most
> security experts have been aware of problems with SSL, but 
>generally speaking we
> haven't said much because there wasn't much of a replacement 
>available for it,
> and it hasn't been exploited extensively (chances are it will be, 
>though). I'll start
> with an explanation of the basic attack, followed by some methods 
>to protect yourself,
> and finish with an interview with Dale Peterson of DigitalBond and 
>the summary.
>
> How to do it
>
> Let's say I want to scam people's credit card numbers, and don't 
>want to break into
> a server. What if I could get people to come to me, and voluntarily 
>give me their
> credit card numbers? Well, this is entirely too easy.
>
> I would start by setting up a web server, and copying a popular 
>site to it, say
> www.some-online-store.com, time required to do this with a tool 
>such as wget is
> around 20-30 minutes. I would then modify the forms used to submit 
>information
> and make sure they pointed to my server, so I now have a copy of
> www.some-online-store.com that looks and feels like the "real" 
>thing. Now, how do
> I get people to come to it? Well I simply poison their DNS caches 
>with my information,
> so instead of www.some-online-store.com pointing to 1.2.3.4, I 
>would point it to
> my server at 5.6.7.8. Now when people go to 
>www.some-online-store.com they end
> up at my site, which looks just like the real one.
>
> Original URL: http://securityportal.com/closet/closet19990930.html
>
> Added: Wed  Oct  6 12:41:14 -040 1999
> Contributed by: Keeffee

-----------------
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Reply via email to