Re: OT: Inserting Ads without breaking the SSL

["Zaninotti, Thiago" <thiago () nstalker com>]

The way it is mentioned, it probably seems to be some kind of transparent 
proxy. I would avoid any important HTTPS transaction without making sure you 
are really connected to the target server (such as Internet Banking). 
Although they may create somehow a transparent proxy to provide you with SSL 
content, the x.509 certificate used will not be the same of the desired 
Internet Service (check it before executing any further SSL transaction).

Another way to go would be a "clientless" acceleration channel, where you 
would be required to download an activeX/Java component so HTTP/HTTPS 
connections would go straight forward using their "clientless" solution --  
that way, they would be able to provide Ads even for SSL connections.

Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
----- Original Message ----- 
From: "Jason" <security () brvenik com>
To: "Saqib Ali" <docbook.xml () gmail com>
Cc: <varenc () mit edu>; <webappsec () securityfocus com>
Sent: Saturday, April 22, 2006 9:56 PM
Subject: Re: OT: Inserting Ads without breaking the SSL


> Saqib Ali wrote:
> > > I would not believe it possible as you describe it. Have you seen this
> > > happen?
> >
> >
> > I have not seen it myself. But I plan to visit Santa Clara and try it
> > out in next couple of days. But I found their technique to be very
> > strange, cause they clearly says that NO software installation
> > required on their website. So I figured it must be some kind of proxy
> > that modify the HTML pages. But that would certainly break SSL.
>
> It is not difficult to implement a transparent proxy that does this for
> regular HTTP traffic leaving the other traffic completely alone. There
> are many examples to look at and I suspect this is really just an
> extension of captive portals.
>
> > I thought other readers of this list may have seen / implemented
> > something like this. Thus the question.
>
> There have been MITM tools released and they can be effective but
> generally rely on the user making a mistake. I would doubt the SSL is
> being touched at all.
>
> > --
> > Saqib Ali, CISSP, ISSAP
> > Support http://www.capital-punishment.net
> > -----------
> > "I fear, if I rebel against my Lord, the retribution of an Awful Day
> > (The Day of Resurrection)" Al-Quran 6:15
> > -----------
>
> -------------------------------------------------------------------------
> This List Sponsored by: SPI Dynamics
>
> ALERT: "How A Hacker Launches A Web Application Attack!"
> Step-by-Step - SPI Dynamics White Paper
> Learn how to defend against Web Application Attacks with real-world
> examples of recent hacking methods such as: SQL Injection, Cross Site
> Scripting and Parameter Manipulation
>
> https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
> --------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. Change the way you 
think about application security testing - See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------