Re: OT: Inserting Ads without breaking the SSL

[Jason <security () brvenik com>]

Saqib Ali wrote:
> > I would not believe it possible as you describe it. Have you seen this
> > happen?
>
>
> I have not seen it myself. But I plan to visit Santa Clara and try it
> out in next couple of days. But I found their technique to be very
> strange, cause they clearly says that NO software installation
> required on their website. So I figured it must be some kind of proxy
> that modify the HTML pages. But that would certainly break SSL.

It is not difficult to implement a transparent proxy that does this for
regular HTTP traffic leaving the other traffic completely alone. There
are many examples to look at and I suspect this is really just an
extension of captive portals.

> I thought other readers of this list may have seen / implemented
> something like this. Thus the question.

There have been MITM tools released and they can be effective but
generally rely on the user making a mistake. I would doubt the SSL is
being touched at all.

> --
> Saqib Ali, CISSP, ISSAP
> Support http://www.capital-punishment.net
> -----------
> "I fear, if I rebel against my Lord, the retribution of an Awful Day
> (The Day of Resurrection)" Al-Quran 6:15
> -----------

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------