funsec mailing list archives
Re: SSL/TLS broken?
From: Valdis.Kletnieks () vt edu
Date: Mon, 09 Nov 2009 23:32:40 -0500
On Mon, 09 Nov 2009 15:50:40 PST, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said:
Ummmm, are we missing something? As far as I can see, this affects *any* kind of e-commerce, but I'm not seeing much discussion on it ...
Yeah, it affects pretty much any SSL or TOS, so yes, basically all e-commerce. It's however mitigated by the requirement that you be able to MITM the connection. So, if you wanted to run this attack against my visit to www.amazon.com, you need to get me to visit your attack host instead of www.amazon.com. You might be able to pull a DNS trick, or you might be able to use an HTML e-mail that contains cruft like: <this-is-an-a href=www.my-rbn-malware.com> www.amazon.com </a> So there's a few preconditions that raise the bar a bit.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- SSL/TLS broken? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Valdis . Kletnieks (Nov 09)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Toralv_Dirro (Nov 10)
- Re: SSL/TLS broken? Buhrmaster, Gary (Nov 10)
- Re: SSL/TLS broken? Dan Kaminsky (Nov 09)
- Re: SSL/TLS broken? Larry Seltzer (Nov 10)