Vulnerability Development mailing list archives
Re: Secure Yahoo logins
From: David Thiel <lx () redundancy redundancy org>
Date: Wed, 28 Aug 2002 10:05:27 -0700
On Wed, Aug 28, 2002 at 01:36:06AM -0700, Nick Jacobsen wrote:
I just love this... You are telling me that I can't sniff information from an SSL session using a mitm attack? the whole point is that you are in the middle...
I've used ettercap, I'm familiar with how the attacks work - to me, what you seemed to be saying was that it was possible to decrypt SSL off of the wire. So yes, you're correct that you can use ettercap for an HTTP/SSL MITM attack, but the fact remains that saying that using SSL for a login session is "pointless" is just not accurate. While an unencrypted connection can be sniffed at places other than the local lan, an SSL-ified one would require DNS cache poisoning to mount a MITM attack. This is easy to defend against, and there's also the fact that the end user will get a certificate warning in this kind of situation(which they'll probably ignore, but this is beside the point), whether the attack is local or remote. SSL is another layer of security, which, while not bulletproof, is a Good Thing. Cheers, David
Current thread:
- Secure Yahoo logins Jeremy (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 28)
- Re: Secure Yahoo logins Steve Bremer (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- <Possible follow-ups>
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- RE: Secure Yahoo logins Kayne Ian (Softlab) (Aug 29)
- Re: Secure Yahoo logins Muhammad Faisal Rauf Danka (Aug 29)