Full Disclosure mailing list archives

Re: How to prevent HTTPS MitM

From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 17 Jan 2013 19:33:55 -0500

On Thu, Jan 17, 2013 at 3:56 PM, Luigi Rosa <lists () luigirosa com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If this message is offtopic, please excuse me.

I was reading about Nokia HTTPS MitM. Many corporate firewall can MitM HTTPS
for content inspection and many governments do this for their reasons.

I was thinking: could it be possible to create a fake HTTPS stream to DoS the
MitM attempt?

Stop conferring trust.

Pin the certifcate or public key. Google used it to vet out the
Diginotar compromise in Chrome (all other browsers suffered). Its
similar to SSH's StrictHostKeyChecking option. Its also on track for
internet standards:
http://tools.ietf.org/html/draft-ietf-websec-key-pinning-04.

Use Secure Remote Password (SRP). SRP is basically Diffei-Hellman
using the password as an exponent (lots of handwaiving).

Don't trust browsers. That includes Mozilla (Trustwave and the closed
door, back room deals) or Opera (Nokia and its 'Acceleration
Interception').

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

How to prevent HTTPS MitM Luigi Rosa (Jan 17)
- Re: How to prevent HTTPS MitM Jeffrey Walton (Jan 17)
- Re: How to prevent HTTPS MitM Jann Horn (Jan 18)
- Re: How to prevent HTTPS MitM gremlin (Jan 18)