Re: SSL/TLS broken?

[Valdis.Kletnieks () vt edu]

On Mon, 09 Nov 2009 15:50:40 PST, "Rob, grandpa of Ryan, Trevor, Devon & Hannah" said:
> Ummmm, are we missing something?  As far as I can see, this affects *any* kind
> of e-commerce, but I'm not seeing much discussion on it ...

Yeah, it affects pretty much any SSL or TOS, so yes, basically all e-commerce.

It's however mitigated by the requirement that you be able to MITM the connection.
So, if you wanted to run this attack against my visit to www.amazon.com,
you need to get me to visit your attack host instead of www.amazon.com.
You might be able to pull a DNS trick, or you might be able to use an HTML
e-mail that contains cruft like:

<this-is-an-a href=www.my-rbn-malware.com> www.amazon.com </a>

So there's a few preconditions that raise the bar a bit.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.