Thank you very much! I never realised there was even an html attachment! I use mutt and never looked for it. Of course I know why I use mutt and this is one of the reasons why.
Since I never looked at the html I never saw the bogus address. How cute eh! These financial instutions have a major major problem. Then they recomend to people to use insecure systems. I expect within a few few years we are going to see some MAJOR hiests! Also IMHO man in the middle is possible even over https. The issue is that you need to create what looks to be a valid cert and this means you need to have what looks to be a valid root CA. The weak link might be updating the Browser's recognised root CA's. I did some work on this a few years back and it looked quite doable to me then but I never actually followed up and looked in detail or looked at the security a browser must implement in order for it to be non-hackable. Its a bit of a catch-22 situtation. If you cannot confirm the validity of the browser's accptable root CA's then I would think one can be chucked in that makes any old self generated cert trustworthy. Again. Thanks for the tip. Again. I never thought to check for html code. On Wed, Oct 03, 2007 at 05:43:22PM -0400, Robert Butler wrote: > That's right- > > nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, > since everything is encrypted using TLS or SSL. > If you get extremely lucky and catch the browser at the wrong moment, > you can sniff the server key and browser key, > but apart from that, it really depends on the strength of the server's > key. > > What they do, is they spoof the certificate and point you to a hijacked > webpage (us.etrade.com.mypaidhost.net), from > which they can easily collect your login information. They then access > your E*Trade account and have lots of fun with it, > leaving you holding an empty bag. > > > That's my take on all of this. > - Robert > > On Wed, 2007-10-03 at 15:39 -0400, Victor Duchovni wrote: > > > On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote: > > > > > Here is the URL they direct the victim too: > > > > > > https://us.etrade.com/login/challange/2b593cba/logon.htm > > > > > > > This is not the actual booby-trapped URL that users who click on the > > phishing links would use. You are not looking at the HTML source of > > the email. > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
