Information Security News mailing list archives
Re: Security flaw found in Microsoft Web browser
From: InfoSec News <isn () c4i org>
Date: Thu, 15 Aug 2002 06:12:51 -0500 (CDT)
Forwarded from: Mark Hahn <MHahn () TCBTech com> At 05:34 AM 8/14/2002, InfoSec News wrote:
The eminent Mr Schneier must have been misquoted. What this permits is an MITM attack, the most obscure and unlikely of the scenarios. Passive listening is presumably unaffected, by orders of magnitude a greater danger. I.e., say Yes to Mallory, say No to Eve. MICROSOFT DOWNPLAYS REPORT Not that anyone will believe them, but in this case, it is indeed appropriate to assure that MITM attacks are hard. This doesn't mean that they shouldn't fix the bug, but this flaw is more embarressing than devastating; the fact that it took so long to find also points out the relative lack of popularity that Mallory has in the real world.
In my experience, a MITM attack is any thing but "obscure and unlikely". I have built several middle-man sites for various reasons and they are not overly complex to build. When used for a white-hat purposes, they are called "Proxies". Add a little spam and you can have thousands of users "using" the proxy. And, given that the "proxy" can really use any valid certificate, you can keep any SSL-enabled browser from complaining. I wonder if this is a matter of experience-based perspective? I can see how to build the MITM model and make it work, mostly. I cannot see how to a place an eavesdropping in a location likely to get enough traffic to make it worth while. So maybe an eavesdropping attack looks easier to some, MITM looks easier to others? -MpH -------- Mark P. Hahn, CISSP MHahn () TCBTech com Chief Technical Officer 609 716 9320 TCB Technologies, Inc. Princeton Junction, New Jersey, USA - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Security flaw found in Microsoft Web browser InfoSec News (Aug 13)
- <Possible follow-ups>
- Re: Security flaw found in Microsoft Web browser InfoSec News (Aug 14)
- Re: Security flaw found in Microsoft Web browser InfoSec News (Aug 15)
- RE: Security flaw found in Microsoft Web browser InfoSec News (Aug 16)
- Fwd: Re: Security flaw found in Microsoft Web browser InfoSec News (Aug 16)