It could pose a more serious problem for all those people with machines hit by DNSchanger trojans where becoming MITM is trivial for the criminals behind it - but it's probably easier to trick the users into installing an additional trojan that takes care of the data stealing than pulling off this attack...
cheers, Toralv > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Dan Kaminsky > Sent: Tuesday, November 10, 2009 6:28 AM > To: [email protected] > Cc: [email protected]; [email protected] > Subject: Re: [funsec] SSL/TLS broken? > > Nah, it's not that easy. The browser needs to think it's > talking to www.amazon.com > for the Amazon cookie to show up. > > Not downplaying the bug -- it's a problem -- but it's not > THAT problem. > > > > On Nov 9, 2009, at 11:32 PM, [email protected] wrote: > > > On Mon, 09 Nov 2009 15:50:40 PST, "Rob, grandpa of Ryan, > Trevor, Devon > > & Hannah" said: > >> Ummmm, are we missing something? As far as I can see, this affects > >> *any* kind > >> of e-commerce, but I'm not seeing much discussion on it ... > > > > Yeah, it affects pretty much any SSL or TOS, so yes, > basically all e- > > commerce. > > > > It's however mitigated by the requirement that you be able > to MITM the > > connection. > > So, if you wanted to run this attack against my visit to > > www.amazon.com , you need to get me to visit your attack > host instead > > of www.amazon.com. > > You might be able to pull a DNS trick, or you might be able > to use an > > HTML e-mail that contains cruft like: > > > > <this-is-an-a href=www.my-rbn-malware.com> www.amazon.com </a> > > > > So there's a few preconditions that raise the bar a bit. > > > > _______________________________________________ > > Fun and Misc security discussion for OT posts. > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > > Note: funsec is a public and open mailing list. > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > Firmensitz: Muenchen Amtsgericht: AG Muenchen Handelsregister: HRB 144340 Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice Bankverbindung: ABN-Amro Bank N.V. Konto 671 211 9006 UST-ID: DE168122444 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
