funsec mailing list archives
Re: SSL/TLS broken?
From: <Toralv_Dirro () McAfee com>
Date: Tue, 10 Nov 2009 07:08:45 -0600
It could pose a more serious problem for all those people with machines hit by DNSchanger trojans where becoming MITM is trivial for the criminals behind it - but it's probably easier to trick the users into installing an additional trojan that takes care of the data stealing than pulling off this attack... cheers, Toralv
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Dan Kaminsky Sent: Tuesday, November 10, 2009 6:28 AM To: Valdis.Kletnieks () vt edu Cc: funsec () linuxbox org; rMslade () shaw ca Subject: Re: [funsec] SSL/TLS broken? Nah, it's not that easy. The browser needs to think it's talking to www.amazon.com for the Amazon cookie to show up. Not downplaying the bug -- it's a problem -- but it's not THAT problem. On Nov 9, 2009, at 11:32 PM, Valdis.Kletnieks () vt edu wrote:On Mon, 09 Nov 2009 15:50:40 PST, "Rob, grandpa of Ryan,Trevor, Devon& Hannah" said:Ummmm, are we missing something? As far as I can see, this affects *any* kind of e-commerce, but I'm not seeing much discussion on it ...Yeah, it affects pretty much any SSL or TOS, so yes,basically all e-commerce. It's however mitigated by the requirement that you be ableto MITM theconnection. So, if you wanted to run this attack against my visit to www.amazon.com , you need to get me to visit your attackhost insteadof www.amazon.com. You might be able to pull a DNS trick, or you might be ableto use anHTML e-mail that contains cruft like: <this-is-an-a href=www.my-rbn-malware.com> www.amazon.com </a> So there's a few preconditions that raise the bar a bit. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list._______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Firmensitz: Muenchen Amtsgericht: AG Muenchen Handelsregister: HRB 144340 Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice Bankverbindung: ABN-Amro Bank N.V. Konto 671 211 9006 UST-ID: DE168122444 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- SSL/TLS broken? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Valdis . Kletnieks (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Toralv_Dirro (Nov 10)
- Re: SSL/TLS broken? Buhrmaster, Gary (Nov 10)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Larry Seltzer (Nov 10)