Re: man in the middle attack over https
* Robert Butler wrote on Wed, Oct 03, 2007 at 17:43 -0400: That's right- nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, since everything is encrypted using TLS or SSL. Just for security I'd like to add a small concretion. (I know you know, but it cannot be stressed enough, otherwise by the time and some lazyness some default trust to TLS could occure, like it's TLS and thus secure, which of course is wrong). Encryption or SSL/TLS (as in HTTPS) by itself do help anything against MITM as long as the peer is not authenticated. This authentication should be made by the user (after establishing the SSL/TLS tunnel) by verifying the certified identity information (by checking the certificate subject values), which works as long as you can trust the system running the browser. If you get extremely lucky and catch the browser at the wrong moment, you can sniff the server key and browser key, but apart from that, it really depends on the strength of the server's key. I assume keys used in practice (except some US export restricted software, in case this restriction still exists) are always strong enough to make a brute force key attack much more expensive that other attacks (in which case IMHO the key strength is sufficient). What they do, is they spoof the certificate and point you to a hijacked webpage (us.etrade.com.mypaidhost.net), from which they can easily collect your login information. They can (and should) use a valid correct authentic certificate for *.mypaidhost.net which guarentees that the TLS tunnel is really established to mypaidhost.net. That is what TLS is for. If the authenticated peer (such as us.etrade.com.mypaidhost.net) is authenticated or not must be decided by the user (who usually should inspect the information of the certificate and other). Without the user inspecting the certificate, TLS does not help. Maybe in case of a valid certificate for the phishing site the institution that requested the certificate could be caugth because the CA should know, but I'm afraid in practice you can get certificates without this beeing guaranteed, such as a cacert.org certificate or whatever. oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
2007/10/3, Robert Butler [EMAIL PROTECTED]: That's right- nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, since everything is encrypted using TLS or SSL. Ehrmmm. MIMD over https slowly becomes a standard firewall functionality, Zorp being the first doing it (as in a lot of other things related to firewalling, like [tadaaam] having an ssh proxy). Of course it is designed for benign purposes, and correct certificate validation stops its evil uses, but who knows how an ordinary user reacts to the popup saying that the CA is unknown.
Re: man in the middle attack over https
On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote: Here is the URL they direct the victim too: https://us.etrade.com/login/challange/2b593cba/logon.htm This is not the actual booby-trapped URL that users who click on the phishing links would use. You are not looking at the HTML source of the email. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
That's right- nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, since everything is encrypted using TLS or SSL. If you get extremely lucky and catch the browser at the wrong moment, you can sniff the server key and browser key, but apart from that, it really depends on the strength of the server's key. What they do, is they spoof the certificate and point you to a hijacked webpage (us.etrade.com.mypaidhost.net), from which they can easily collect your login information. They then access your E*Trade account and have lots of fun with it, leaving you holding an empty bag. That's my take on all of this. - Robert On Wed, 2007-10-03 at 15:39 -0400, Victor Duchovni wrote: On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote: Here is the URL they direct the victim too: https://us.etrade.com/login/challange/2b593cba/logon.htm This is not the actual booby-trapped URL that users who click on the phishing links would use. You are not looking at the HTML source of the email.
Re: man in the middle attack over https
Thank you very much! I never realised there was even an html attachment! I use mutt and never looked for it. Of course I know why I use mutt and this is one of the reasons why. Since I never looked at the html I never saw the bogus address. How cute eh! These financial instutions have a major major problem. Then they recomend to people to use insecure systems. I expect within a few few years we are going to see some MAJOR hiests! Also IMHO man in the middle is possible even over https. The issue is that you need to create what looks to be a valid cert and this means you need to have what looks to be a valid root CA. The weak link might be updating the Browser's recognised root CA's. I did some work on this a few years back and it looked quite doable to me then but I never actually followed up and looked in detail or looked at the security a browser must implement in order for it to be non-hackable. Its a bit of a catch-22 situtation. If you cannot confirm the validity of the browser's accptable root CA's then I would think one can be chucked in that makes any old self generated cert trustworthy. Again. Thanks for the tip. Again. I never thought to check for html code. On Wed, Oct 03, 2007 at 05:43:22PM -0400, Robert Butler wrote: That's right- nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, since everything is encrypted using TLS or SSL. If you get extremely lucky and catch the browser at the wrong moment, you can sniff the server key and browser key, but apart from that, it really depends on the strength of the server's key. What they do, is they spoof the certificate and point you to a hijacked webpage (us.etrade.com.mypaidhost.net), from which they can easily collect your login information. They then access your E*Trade account and have lots of fun with it, leaving you holding an empty bag. That's my take on all of this. - Robert On Wed, 2007-10-03 at 15:39 -0400, Victor Duchovni wrote: On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote: Here is the URL they direct the victim too: https://us.etrade.com/login/challange/2b593cba/logon.htm This is not the actual booby-trapped URL that users who click on the phishing links would use. You are not looking at the HTML source of the email. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
Right. With server auth you elimate the weakenss I was thinking about a few years back. As was pointed out I didn't check for html. On Wed, Oct 03, 2007 at 03:55:21PM -0700, Michael Sierchio wrote: [EMAIL PROTECTED] wrote: I'd like to ask the group about a possible man in the middle attack over https. What you've described (though see Viktor's post about what you didn't really include in your message) is not MITM -- it's just a fake URL scheme. SSL v3.0 and TLS with server auth are not subject to MITM. Regards, Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
On Wed, Oct 03, 2007 at 05:04:52PM -0600, [EMAIL PROTECTED] wrote: These financial instutions have a major major problem. Then they recomend to people to use insecure systems. I expect within a few few years we are going to see some MAJOR hiests! I think you mean a few years ago, but this is off topic for this list, so lets stop here. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
[EMAIL PROTECTED] wrote: I'd like to ask the group about a possible man in the middle attack over https. What you've described (though see Viktor's post about what you didn't really include in your message) is not MITM -- it's just a fake URL scheme. SSL v3.0 and TLS with server auth are not subject to MITM. Regards, Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
That isn't man-in-the-middle- that's simple spoofing. And, I never said spoofing wasn't doable. I stated that getting in-between a user and their SSL server depends on the strength of that remote server's SSL cert, or catching the client and server when they're about to start the exchange of temporary keys (so that SSL session will work properly.) - Robert On Wed, 2007-10-03 at 17:04 -0600, [EMAIL PROTECTED] wrote: Thank you very much! I never realised there was even an html attachment! I use mutt and never looked for it. Of course I know why I use mutt and this is one of the reasons why. Since I never looked at the html I never saw the bogus address. How cute eh! These financial instutions have a major major problem. Then they recomend to people to use insecure systems. I expect within a few few years we are going to see some MAJOR hiests! Also IMHO man in the middle is possible even over https. The issue is that you need to create what looks to be a valid cert and this means you need to have what looks to be a valid root CA. The weak link might be updating the Browser's recognised root CA's. I did some work on this a few years back and it looked quite doable to me then but I never actually followed up and looked in detail or looked at the security a browser must implement in order for it to be non-hackable. Its a bit of a catch-22 situtation. If you cannot confirm the validity of the browser's accptable root CA's then I would think one can be chucked in that makes any old self generated cert trustworthy. Again. Thanks for the tip. Again. I never thought to check for html code. On Wed, Oct 03, 2007 at 05:43:22PM -0400, Robert Butler wrote: That's right- nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, since everything is encrypted using TLS or SSL. If you get extremely lucky and catch the browser at the wrong moment, you can sniff the server key and browser key, but apart from that, it really depends on the strength of the server's key. What they do, is they spoof the certificate and point you to a hijacked webpage (us.etrade.com.mypaidhost.net), from which they can easily collect your login information. They then access your E*Trade account and have lots of fun with it, leaving you holding an empty bag. That's my take on all of this. - Robert On Wed, 2007-10-03 at 15:39 -0400, Victor Duchovni wrote: On Wed, Oct 03, 2007 at 11:21:46AM -0600, [EMAIL PROTECTED] wrote: Here is the URL they direct the victim too: https://us.etrade.com/login/challange/2b593cba/logon.htm This is not the actual booby-trapped URL that users who click on the phishing links would use. You are not looking at the HTML source of the email. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
On Wed, Oct 03, 2007 at 07:57:41PM -0400, Robert Butler wrote: That isn't man-in-the-middle- that's simple spoofing. I would like to humbly suggest that this thread end... Phishing attacks can be discussed on other lists. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
Indeed, I had planned on clamming up after that last post. - Robert On Wed, 2007-10-03 at 22:17 -0400, Victor Duchovni wrote: On Wed, Oct 03, 2007 at 07:57:41PM -0400, Robert Butler wrote: That isn't man-in-the-middle- that's simple spoofing. I would like to humbly suggest that this thread end... Phishing attacks can be discussed on other lists.