WebApp Sec mailing list archives
Re: OT: Inserting Ads without breaking the SSL
From: Jason <security () brvenik com>
Date: Sat, 22 Apr 2006 20:56:12 -0400
Saqib Ali wrote:
I would not believe it possible as you describe it. Have you seen this happen?I have not seen it myself. But I plan to visit Santa Clara and try it out in next couple of days. But I found their technique to be very strange, cause they clearly says that NO software installation required on their website. So I figured it must be some kind of proxy that modify the HTML pages. But that would certainly break SSL.
It is not difficult to implement a transparent proxy that does this for regular HTTP traffic leaving the other traffic completely alone. There are many examples to look at and I suspect this is really just an extension of captive portals.
I thought other readers of this list may have seen / implemented something like this. Thus the question.
There have been MITM tools released and they can be effective but generally rely on the user making a mistake. I would doubt the SSL is being touched at all.
-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
------------------------------------------------------------------------- This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- OT: Inserting Ads without breaking the SSL Saqib Ali (Apr 21)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Saqib Ali (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Zaninotti, Thiago (Apr 24)
- Re: OT: Inserting Ads without breaking the SSL Saqib Ali (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Anthony Ettinger (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Andrew van der Stock (Apr 22)
- <Possible follow-ups>
- Re: Re: OT: Inserting Ads without breaking the SSL 7269 (Apr 27)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 27)
- Re: Re: OT: Inserting Ads without breaking the SSL 7269 (Apr 27)
- Re: OT: Inserting Ads without breaking the SSL elawford (May 01)
- Re: OT: Inserting Ads without breaking the SSL Saqib Ali (Jun 12)