At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote:
> Title: Special Kurt's Closet: Is SSL dead?
> Resource Type: News letter
> Date: Semptember 30, 1999
> Source: Security Portal
> Author: Kurt Seifried
> Keywords: INTERNET/WWW ,SECURITY ISSUES ,ONLINE SHOPPING ,SSL
>
> Abstract/Summary:
> The title is a bit scary, but I wanted to get your attention
>(worked, didn't it?). Most
> security experts have been aware of problems with SSL, but
>generally speaking we
> haven't said much because there wasn't much of a replacement
>available for it,
> and it hasn't been exploited extensively (chances are it will be,
>though). I'll start
> with an explanation of the basic attack, followed by some methods
>to protect yourself,
> and finish with an interview with Dale Peterson of DigitalBond and
>the summary.
>
> How to do it
>
> Let's say I want to scam people's credit card numbers, and don't
>want to break into
> a server. What if I could get people to come to me, and voluntarily
>give me their
> credit card numbers? Well, this is entirely too easy.
>
> I would start by setting up a web server, and copying a popular
>site to it, say
> www.some-online-store.com, time required to do this with a tool
>such as wget is
> around 20-30 minutes. I would then modify the forms used to submit
>information
> and make sure they pointed to my server, so I now have a copy of
> www.some-online-store.com that looks and feels like the "real"
>thing. Now, how do
> I get people to come to it? Well I simply poison their DNS caches
>with my information,
> so instead of www.some-online-store.com pointing to 1.2.3.4, I
>would point it to
> my server at 5.6.7.8. Now when people go to
>www.some-online-store.com they end
> up at my site, which looks just like the real one.
>
> Original URL: http://securityportal.com/closet/closet19990930.html
>
> Added: Wed Oct 6 12:41:14 -040 1999
> Contributed by: Keeffee
-----------------
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'