Full Disclosure mailing list archives
Re: How to prevent HTTPS MitM
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 17 Jan 2013 19:33:55 -0500
On Thu, Jan 17, 2013 at 3:56 PM, Luigi Rosa <lists () luigirosa com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If this message is offtopic, please excuse me. I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS for content inspection and many governments do this for their reasons. I was thinking: could it be possible to create a fake HTTPS stream to DoS the MitM attempt?
Stop conferring trust. Pin the certifcate or public key. Google used it to vet out the Diginotar compromise in Chrome (all other browsers suffered). Its similar to SSH's StrictHostKeyChecking option. Its also on track for internet standards: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04. Use Secure Remote Password (SRP). SRP is basically Diffei-Hellman using the password as an exponent (lots of handwaiving). Don't trust browsers. That includes Mozilla (Trustwave and the closed door, back room deals) or Opera (Nokia and its 'Acceleration Interception'). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- How to prevent HTTPS MitM Luigi Rosa (Jan 17)
- Re: How to prevent HTTPS MitM Jeffrey Walton (Jan 17)
- Re: How to prevent HTTPS MitM Jann Horn (Jan 18)
- Re: How to prevent HTTPS MitM gremlin (Jan 18)