Re: "Free WiFi" man-in-the-middle scam seen in the wild.

[Florian Weimer]

* Perry E. Metzger:

> If you go over to, say, www.fidelity.com, you will find that you can't
> even get to the http: version of the page any more -- you are always
> redirected to the https: version.

Of course, this only helps if users visit the site using bookmarks
that were created after the switch.  If they enter "fidelity.com" (or
even just "fidelity") into their browsers to access it, switch to
HTTPS won't help at all.  Perhaps this explains why someone might
think that serving the login page over HTTPS is just security theater.

In the same "we use use HTTPS and are still vulnerable to MITM
attacks" department, there's the really old issue of authenticating
cookies which are not restricted to HTTPS, but will be happily sent
over HTTP as well. *sigh*

Apart from that, the article you linked to does not even mention
actual attacks with an identity theft motive.  What's worse, the
suggested countermeasures don't protect you at all.  Ad-hoc networks
are insecure, and those with an access point are secure?  Yeah, right.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "Free WiFi" man-in-the-middle scam seen in the wild.

[James A. Donald]

--
Perry E. Metzger wrote:
> It used to be that Verizon (my local phone company,
> sadly) had this general problem but you could click on
> "log in" and it would direct you to a secure page with
> a little error message and you could then enter your
> username and password. They've since "fixed" that so
> it is no longer possible to log in safely to their web
> site at all.

The reason we cannot sell, nor profitably implement,
usable and effective security is, as Ian Grigg says in
"the market for silver bullets", that neither buyers nor
sellers can tell the difference between security that
works, and security that does not work, even though you
and I can tell the difference.

The most recent illustration of this is the reaction to
the recent AACS content protection hack.
 Cyberlink says its DRM code is working fine,
because it does what it designed to do - but
unfortunately the design prevents legitimate purchasers
from playing legitimately purchased content on
legitimately purchased machines, and fails to prevent
people from ripping the content and sharing it through
bittorrent.  Cyberlink's statement echoes the statement
made by earlier by many on this list and related lists
that PKI fulfills its specification just fine.  The DRM
people wanted something that could not be done, so
unsurprisingly they winded up buying something that does
not do it.

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 LjC3cY1UO0v0xXean2TJqxn0Dh1vSubg/F00KDsX
 48fF+ZilNMNu1rtIcc2XhJ0zksmqpjzsHEJz9pGDj

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "Free WiFi" man-in-the-middle scam seen in the wild.

[Matthias Bruestle]

Hi,

Perry E. Metzger wrote:
> For years, I've complained about banks, such as Chase, which let
> people type in the password to their bank account into a page that has
> been downloaded via http: instead of https:.
> 
> The banks always say "oh, that's no problem, because the password is
> posted via https:", and I say "but that's only if the page comes from
> *you*, and it might come from a bad guy."

A German bank had the same problem. After some discussions without
positive results I wrote an article about SSL problems for a large
German IT magazine and described their situation. A short time after
they changed the login page to https.

Matthias

-- 
Matthias Bruestle, Managing Director
Phone +49 (0) 91 19 55 14 91, Fax +49 (0) 91 19 55 14 97
MaskTech GmbH, Nordostpark 16, 90411 Nuernberg, Germany

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "Free WiFi" man-in-the-middle scam seen in the wild.

[Perry E. Metzger]

Derek Atkins <[EMAIL PROTECTED]> writes:
> I'll just point out that you CAN go to:
>
>  https://chaseonline.chase.com/
>
> And that works, and should be secure.

And for the six people that know to do that, it works great. :)

It used to be that Verizon (my local phone company, sadly) had this
general problem but you could click on "log in" and it would direct
you to a secure page with a little error message and you could then
enter your username and password. They've since "fixed" that so it is
no longer possible to log in safely to their web site at all.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "Free WiFi" man-in-the-middle scam seen in the wild.

[Roy M. Silvernail]

On Tue, January 23, 2007 09:24, Perry E. Metzger wrote:

> (Incidently, the article gets a few things wrong. It somewhat implies
> that you are safe if you pick a WiFi network you have a previous
> relationship with, which isn't true.)

It also is only warning against ad-hoc connections with misleading names. 
While I see a bunch of these around (not necessarily in airports,
either... several show up from my cube at work), it doesn't take much to
put up a perfectly normal-looking access point.  See
http://www.ethicalhacker.net/content/view/66/24/ for examples.
-- 
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
"Antelope Freeway, one sixty-fourth of a mile." - TFT
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: "Free WiFi" man-in-the-middle scam seen in the wild.

[Derek Atkins]

Quoting "Perry E. Metzger" <[EMAIL PROTECTED]>:


Now you might wonder, why do I keep picking on Chase?

A certain other security person and I had an extended argument with
the folks at another company I won't name other than to say that it was
American Express. At the time, they more or less said, "yah, this is a
problem, but fixing it is going to be a pain." However, I'll note that
now, as with Fidelity, you pretty much can't go onto their web site
without using https: -- kudos to Amex.

Indeed, though this was all a major problem a couple of years ago with
many banks, many have now fixed it. However, for a select few, like,
say, Chase, the message simply isn't getting through even though these
organizations have been repeatedly informed that they are leaving
their customers vulnerable. One wonders what level of trouble they're
going to have to get into before they actually do the right thing.


I'll just point out that you CAN go to:

 https://chaseonline.chase.com/

And that works, and should be secure.   No, it's not the same as
typing "chase" into your browser and having the right thing happen,
but honestly this is what browser caches are for.  (When I type "chase"
into my browser bar it autocompletes to the above URL).

-derek

--
  Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
  Member, MIT Student Information Processing Board  (SIPB)
  URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH
  [EMAIL PROTECTED]PGP key available

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

"Free WiFi" man-in-the-middle scam seen in the wild.

[Perry E. Metzger]

For years, I've complained about banks, such as Chase, which let
people type in the password to their bank account into a page that has
been downloaded via http: instead of https:.

The banks always say "oh, that's no problem, because the password is
posted via https:", and I say "but that's only if the page comes from
*you*, and it might come from a bad guy."

"How would someone possibly send the user a faked up web page?" they
then ask. I reply like this "the two obvious ways are DNS cache
contamination and doing a man-in-the-middle in the network, and the
latter is really easy now that people trusting WiFi base stations in
strange places that they've never used before. You could just put a
tiny box near a cafe or airport lounge and siphon off passwords day
and night."

The bank people then tell me that I'm crazy. (They're usually more
polite than that, but that's the import of what they say.) I have a
great letter from a manager at Chase informing me that they've been
assured by fabulous security people that their system is safe.

Adding insult to injury, the banks put a little padlock GIF on their
insecure form, probably to reduce the number of phone calls they get
about it.

Well, guess what. It turns out that people are now deploying
man-in-the-middle WiFi devices in places like airports and siphoning
passwords for bank accounts.

Who would have thought of such a nefarious thing? Certainly this is a
new problem and one no would have thought of it before now...:

   January 19, 2007 (Computerworld) -- The next time you're at an airport
   looking for a wireless hot spot, and you see one called "Free Wi-Fi"
   or a similar name, beware -- you may end up being victimized by the
   latest hot-spot scam hitting airports across the country.

   You could end up being the target of a "man in the middle" attack, in
   which a hacker is able to steal the information you send over the
   Internet, including usernames and passwords. And you could also have
   your files and identity stolen,[...]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9008399&source=NLT_NET&nlid=27

(Incidently, the article gets a few things wrong. It somewhat implies
that you are safe if you pick a WiFi network you have a previous
relationship with, which isn't true.)

Just to pick on my favorite exemplar of how not to do things for a
moment, go over to:

http://www.chase.com/

and ponder how it could be that a giant multinational financial
institution could set its customers up this way.

If you go over to, say, www.fidelity.com, you will find that you can't
even get to the http: version of the page any more -- you are always
redirected to the https: version. For the record, Fidelity has gotten
this right for as long as I've been watching them.

Now you might wonder, why do I keep picking on Chase?

A certain other security person and I had an extended argument with
the folks at another company I won't name other than to say that it was
American Express. At the time, they more or less said, "yah, this is a
problem, but fixing it is going to be a pain." However, I'll note that
now, as with Fidelity, you pretty much can't go onto their web site
without using https: -- kudos to Amex.

Indeed, though this was all a major problem a couple of years ago with
many banks, many have now fixed it. However, for a select few, like,
say, Chase, the message simply isn't getting through even though these
organizations have been repeatedly informed that they are leaving
their customers vulnerable. One wonders what level of trouble they're
going to have to get into before they actually do the right thing.


Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]