WebApp Sec mailing list archives
Re: OT: Inserting Ads without breaking the SSL
From: "Zaninotti, Thiago" <thiago () nstalker com>
Date: Mon, 24 Apr 2006 17:05:47 -0300
The way it is mentioned, it probably seems to be some kind of transparent proxy. I would avoid any important HTTPS transaction without making sure you are really connected to the target server (such as Internet Banking). Although they may create somehow a transparent proxy to provide you with SSL content, the x.509 certificate used will not be the same of the desired Internet Service (check it before executing any further SSL transaction).
Another way to go would be a "clientless" acceleration channel, where you would be required to download an activeX/Java component so HTTP/HTTPS connections would go straight forward using their "clientless" solution -- that way, they would be able to provide Ads even for SSL connections.
Thiago Zaninotti,Security+,CISSP-ISSAP,CISM----- Original Message ----- From: "Jason" <security () brvenik com>
To: "Saqib Ali" <docbook.xml () gmail com> Cc: <varenc () mit edu>; <webappsec () securityfocus com> Sent: Saturday, April 22, 2006 9:56 PM Subject: Re: OT: Inserting Ads without breaking the SSL
Saqib Ali wrote:I would not believe it possible as you describe it. Have you seen this happen?I have not seen it myself. But I plan to visit Santa Clara and try it out in next couple of days. But I found their technique to be very strange, cause they clearly says that NO software installation required on their website. So I figured it must be some kind of proxy that modify the HTML pages. But that would certainly break SSL.It is not difficult to implement a transparent proxy that does this for regular HTTP traffic leaving the other traffic completely alone. There are many examples to look at and I suspect this is really just an extension of captive portals.I thought other readers of this list may have seen / implemented something like this. Thus the question.There have been MITM tools released and they can be effective but generally rely on the user making a mistake. I would doubt the SSL is being touched at all.-- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 ------------------------------------------------------------------------------------ This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. Change the way you think about application security testing - See for yourself. Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF --------------------------------------------------------------------------
Current thread:
- OT: Inserting Ads without breaking the SSL Saqib Ali (Apr 21)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Saqib Ali (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Zaninotti, Thiago (Apr 24)
- Re: OT: Inserting Ads without breaking the SSL Saqib Ali (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Anthony Ettinger (Apr 22)
- Re: OT: Inserting Ads without breaking the SSL Andrew van der Stock (Apr 22)
- <Possible follow-ups>
- Re: Re: OT: Inserting Ads without breaking the SSL 7269 (Apr 27)
- Re: OT: Inserting Ads without breaking the SSL Jason (Apr 27)
- Re: Re: OT: Inserting Ads without breaking the SSL 7269 (Apr 27)
- Re: OT: Inserting Ads without breaking the SSL elawford (May 01)
- Re: OT: Inserting Ads without breaking the SSL Saqib Ali (Jun 12)