Re: [cryptography] A REALLY BIG MITM

2011-01-27 Thread Peter Gutmann
I wrote:

This isn't one of those namby-pamby one-site phishing MITMs, this is a MITM
of an entire country:

For those who want more details, there's a technical analysis at:

http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html

Full source available via pastebin:

http://pastebin.com/1JsrcZBf

Peter.

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] A REALLY BIG MITM

2011-01-26 Thread Marsh Ray

On 01/25/2011 09:50 PM, Peter Gutmann wrote:

This isn't one of those namby-pamby one-site phishing MITMs, this is a MITM of
an entire country:

http://www.theatlantic.com/technology/archive/2011/01/the-inside-story-of-how-facebook-responded-to-tunisian-hacks/70044/

For those who don't want to read the whole thing, the solution was duuhh, we
turned on thuh SSL - they were using plain HTTP for logon.  Sigh.


Of course, Microsoft helpfully provides the government of Tunisia with a 
trusted root CA in their products. If you have access to a Windows box, 
visit https://www.certification.tn/ . Then look for Agence Nationale de 
Certification Electronique in your personal trusted root store.


For some reason, MS Windows doesn't list everyone it trusts until they 
actually need trusting. Then root certs get installed on the fly.


Oh and it's a code signing cert. This is used for things like running 
ActiveX controls without prompting. I.e., arbitrary code execution.


- Marsh
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography


Re: [cryptography] A REALLY BIG MITM

2011-01-26 Thread Peter Gutmann
I wrote:

For those who don't want to read the whole thing, the solution was duuhh, we
turned on thuh SSL - they were using plain HTTP for logon.  Sigh.

Looks like they now made HTTPS for login permanent:

http://digitizor.com/2011/01/26/facebook-social-login-https/

Funny how so many of these obvious, straightforward security measures only get 
turned on after an embarassingly public hack...

Peter.
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography