Dailydave mailing list archives
Re: SSL MITM fun.
From: Fyodor <fyodor () insecure org>
Date: Thu, 19 Feb 2009 15:36:05 -0800
On Thu, Feb 19, 2009 at 01:04:33PM -0500, Dan Moniz wrote:
On Thu, Feb 19, 2009 at 12:07 PM, Dave Aitel <dave () immunityinc com> wrote:https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf Essentially he details 3 attacks (from what I can tell): 1. Register a .cn address and use unicode character for / and ? to have HTTPS://www.paypal.com/?domain.cn?<some args> validateUnless I'm missing something, this is essentially what Eric Johanson said in 2005 about IDN:
Moxie credits 3ric by name on slide 87. But the browsers have made adjustments to prevent 3ric's exact attacks. Moxie demonstrates ways to generalize the attacks a bit and also get around the new restrictions (such as refusing to render IDN in the com TLD). The slides give numbers for how many people he apparently fooled with the MITM attacks (e.g. 16 credit card numbers and 7 PayPal logins and 300 other https logins in 24 hours), but it isn't clear from the slides alone where he performed the attacks. Maybe a coffee shop? I'm hoping it was on the Black Hat DC network before his presentation :). Some of the information in the slides is already well known, but I hope he can shame organizations (particularly the banks and browser vendors) into actually doing something about it. Also, the presentation gives the http://thoughtcrime.org URL for his sslstrip software, but I don't see it there yet. I currently just see his old sslsniff program. Too bad he doesn't talk about extended validation certs, as they certainly have their own spoofing problems too. Particularly if one can get hold of a non-EV (domain validated) cert for the domain. Cheers, Fyodor _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: SSL MITM fun., (continued)
- Re: SSL MITM fun. Alexander Sotirov (Feb 19)
- Re: SSL MITM fun. Dan Moniz (Feb 19)
- Re: SSL MITM fun. Chris Weber (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Alexander Sotirov (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Robert Święcki (Feb 20)
- Message not available
- Re: SSL MITM fun. Michal Zalewski (Feb 20)
- Re: SSL MITM fun. Michal Zalewski (Feb 19)
- Re: SSL MITM fun. Berend-Jan Wever (Feb 19)
- Re: SSL MITM fun. Fyodor (Feb 19)
- Re: SSL MITM fun. Richard Bejtlich (Feb 20)
- Re: SSL MITM fun. jmoss (Feb 24)
- Re: SSL MITM fun. Dragos Ruiu (Feb 19)