Re: Security flaw found in Microsoft Web browser

[InfoSec News <isn () c4i org>]

Forwarded from: Mark Hahn <MHahn () TCBTech com>

At 05:34 AM 8/14/2002, InfoSec News wrote:

> The eminent Mr Schneier must have been misquoted. What this permits
> is an MITM attack, the most obscure and unlikely of the scenarios.
> Passive listening is presumably unaffected, by orders of magnitude a
> greater danger.  I.e., say Yes to Mallory, say No to Eve.
>
> MICROSOFT DOWNPLAYS REPORT
>
> Not that anyone will believe them, but in this case, it is indeed
> appropriate to assure that MITM attacks are hard. This doesn't mean
> that they shouldn't fix the bug, but this flaw is more embarressing
> than devastating;  the fact that it took so long to find also points
> out the relative lack of popularity that Mallory has in the real
> world.

In my experience, a MITM attack is any thing but "obscure and
unlikely". I have built several middle-man sites for various reasons
and they are not overly complex to build. When used for a white-hat
purposes, they are called "Proxies". Add a little spam and you can
have thousands of users "using" the proxy. And, given that the "proxy"
can really use any valid certificate, you can keep any SSL-enabled
browser from complaining.

I wonder if this is a matter of experience-based perspective? I can
see how to build the MITM model and make it work, mostly. I cannot see
how to a place an eavesdropping in a location likely to get enough
traffic to make it worth while. So maybe an eavesdropping attack looks
easier to some, MITM looks easier to others?

-MpH

   --------
Mark P. Hahn, CISSP                 MHahn () TCBTech com
Chief Technical Officer             609 716 9320
TCB Technologies, Inc.              Princeton Junction, New Jersey, USA



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.