Re: Secure Yahoo logins

["Nick Jacobsen" <nick () ethicsdesign com>]

I just love this...  You are telling me that I can't sniff information from
an SSL session using a mitm attack?  the whole point is that you are in the
middle...  i.e. client connects to you and you coneect to server, therefore
the SSL session with the server is between you and the server, not the
client and the server...  you simply pass everything on to the client as
well, acting as the remote server...  Try using ettercap, then tell me I am
wrong...


Nick J.
Ethics Design
nick () ethicsdesign com
ethics () netzero net

----- Original Message -----
From: "David Thiel" <lx () redundancy redundancy org>
To: "Nick Jacobsen" <nick () ethicsdesign com>
Cc: <vuln-dev () securityfocus com>
Sent: Tuesday, August 27, 2002 9:06 PM
Subject: Re: Secure Yahoo logins


> On Tue, Aug 27, 2002 at 08:36:40PM -0700, Nick Jacobsen wrote:
> > it supports SSH(Secure Telnet)
>
> SSH is not even remotely like "Secure Telnet".
>
> > and SSL(HTTPS) decryption and sniffing, as
>
> Only if you have the server's keypair.
>
> > I guess my main point is that if you are having your users log in using
> > "secure log in" for the express reason of making it so their password
cannot
> > be sniffed, it is pointless, as anyone can STILL sniff it!
>
> There's a higher difficulty level involved with MITM attacks, and
> measures can be taken to prevent and/or recognize such attacks.
> SSL is not a panacea, but it's a useful layer of security.  The
> fact that MITM attacks exist is not proper rationale for abandoning
> the use of encryption.