Re: SSL/TLS broken?

[Dan Kaminsky <dan () doxpara com>]

Nah, it's not that easy. The browser needs to think it's talking to www.amazon.com 
  for the Amazon cookie to show up.

Not downplaying the bug -- it's a problem -- but it's not THAT problem.



On Nov 9, 2009, at 11:32 PM, Valdis.Kletnieks () vt edu wrote:

> On Mon, 09 Nov 2009 15:50:40 PST, "Rob, grandpa of Ryan, Trevor,  
> Devon & Hannah" said:
> > Ummmm, are we missing something?  As far as I can see, this affects  
> > *any* kind
> > of e-commerce, but I'm not seeing much discussion on it ...
>
> Yeah, it affects pretty much any SSL or TOS, so yes, basically all e- 
> commerce.
>
> It's however mitigated by the requirement that you be able to MITM  
> the connection.
> So, if you wanted to run this attack against my visit to www.amazon.com 
> ,
> you need to get me to visit your attack host instead of  
> www.amazon.com.
> You might be able to pull a DNS trick, or you might be able to use  
> an HTML
> e-mail that contains cruft like:
>
> <this-is-an-a href=www.my-rbn-malware.com> www.amazon.com </a>
>
> So there's a few preconditions that raise the bar a bit.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.