Vulnerability Development mailing list archives

Re: Secure Yahoo logins

From: David Thiel <lx () redundancy redundancy org>
Date: Wed, 28 Aug 2002 10:05:27 -0700

On Wed, Aug 28, 2002 at 01:36:06AM -0700, Nick Jacobsen wrote:

I just love this...  You are telling me that I can't sniff information from
an SSL session using a mitm attack?  the whole point is that you are in the
middle...


I've used ettercap, I'm familiar with how the attacks work - to me,
what you seemed to be saying was that it was possible to decrypt
SSL off of the wire.  So yes, you're correct that you can use
ettercap for an HTTP/SSL MITM attack, but the fact remains that
saying that using SSL for a login session is "pointless" is just
not accurate.  

While an unencrypted connection can be sniffed at places other than
the local lan, an SSL-ified one would require DNS cache poisoning
to mount a MITM attack.  This is easy to defend against, and there's
also the fact that the end user will get a certificate warning in
this kind of situation(which they'll probably ignore, but this is
beside the point), whether the attack is local or remote.  SSL is
another layer of security, which, while not bulletproof, is a Good
Thing.

Cheers,
David

Current thread:

Secure Yahoo logins Jeremy (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
  - Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
  - Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
  - Re: Secure Yahoo logins David Thiel (Aug 27)
    - Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
    - Re: Secure Yahoo logins David Thiel (Aug 28)
    - Re: Secure Yahoo logins Steve Bremer (Aug 28)
- <Possible follow-ups>
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)
- RE: Secure Yahoo logins Kayne Ian (Softlab) (Aug 29)
- Re: Secure Yahoo logins Muhammad Faisal Rauf Danka (Aug 29)