funsec mailing list archives
Re: SSL/TLS broken?
From: Dan Kaminsky <dan () doxpara com>
Date: Tue, 10 Nov 2009 00:27:49 -0500
Nah, it's not that easy. The browser needs to think it's talking to www.amazon.com for the Amazon cookie to show up. Not downplaying the bug -- it's a problem -- but it's not THAT problem. On Nov 9, 2009, at 11:32 PM, Valdis.Kletnieks () vt edu wrote:
On Mon, 09 Nov 2009 15:50:40 PST, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said:Ummmm, are we missing something? As far as I can see, this affects *any* kind of e-commerce, but I'm not seeing much discussion on it ...Yeah, it affects pretty much any SSL or TOS, so yes, basically all e- commerce. It's however mitigated by the requirement that you be able to MITM the connection. So, if you wanted to run this attack against my visit to www.amazon.com , you need to get me to visit your attack host instead of www.amazon.com. You might be able to pull a DNS trick, or you might be able to use an HTML e-mail that contains cruft like: <this-is-an-a href=www.my-rbn-malware.com> www.amazon.com </a> So there's a few preconditions that raise the bar a bit. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- SSL/TLS broken? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Valdis . Kletnieks (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Toralv_Dirro (Nov 10)
- Re: SSL/TLS broken? Buhrmaster, Gary (Nov 10)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Larry Seltzer (Nov 10)