On Thu, Dec 13, 2001 at 12:23:21PM -0500, Evan D. Hoffman wrote: > I was recently pointed to the app ettercap > (http://ettercap.sourceforge.net/), which claims (among other things): > > "HTTPS support : you can sniff http SSL secured data... and even if the > connection is made through a PROXY"
yes it's true, but you can sniff only SSL v2.0 traffic. Version 3.0 is not affected to the man in the middle attack, because it uses certificates to authenticate the server. Version 2.0 is obsolete and insecure > Google yielded this info: > http://lists.debian.org/debian-security/2001/debian-security-200109/msg00060 > .html but I'm still not clear on what exactly is going on. From what I > gather, the ettercap box will serve as a go-between for all traffic between > server and client, and the client will get some kind of an error about the > key changing, and if the user chooses to continue the transaction, there's > nothing more that can be done. Does anyone know anything more about this That's wrong. The client doesn't get any kind of errors (I'm talking about SSL v2.0 protocol). The keys exchanging are completely trasparent to the peers, because the ettercap box acts as a proxy, it intercepts the legitimate keys that are passed back and forth during the SSL handshake, substitutes its own, and makes it appear to the client that it is the server, and to the server that it is the client. It decrypts all traffic from client with the session keys etablished with the client, reads and/or modifies data, then encrypts and sends all data to the server. And on other direction server-client it does the same. You can do this with ARP poisoning, also on switched LANs Possible solutions to prevent MITM attack: - use certificates digitally signed from third part (SSL v3.0) - use ARP static table entries (on Windows2000/NT, ARP static table is not properly static. There's a hole about implementation of ARP protocol on MS systems. I don't know if it was fixed with latest SP) If you can't use static entries in your ARP table, to discover MITM attack you can monitor your ARP cache table, and look for two different hosts with the same MAC Check the documentation which come with ettercap, it is very useful. my 2 cents (euro) ciao -- blitzkrieg --