At 07:35 PM 10/6/99 -0400, Phillip Hallam-Baker wrote:
>This is a problem with SSL 2.0 first discovered by Simon Spero then at
>EIT.
>It was fixed in SSL 3.0, that must be almost three years ago.
That's not the big issue here. Server-spoofing is not fully prevented
by any version of SSL. The problem is in how the typical user interacts
with the system.
There are many ways the user can be tricked by what he sees into
believing he is interacting with a trustworthy familiar site, when in
fact the site is a malicious imposter or site-in-the-middle. Changing
the DNS binding is certainly not the only way to do it.
>The server certificate now binds the public key to a specific Web server
>address.
>
> Phill
The point is that none of this binding matters if the user doesn't know
if the Web server address is correct. SSL alone just can't solve this
problem.
While you may not consider this to be "a problem with SSL", many people have
unrealistic expectations of what SSL or any similar cert-based protocol can
and cannot do.
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Robert Hettinga
>Sent: Wednesday, October 06, 1999 4:22 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second
>Ed.)
>
>At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote:
>
>> Title: Special Kurt's Closet: Is SSL dead?
>> Resource Type: News letter
>> Date: Semptember 30, 1999
>> Source: Security Portal
>> Author: Kurt Seifried
>> Keywords: INTERNET/WWW ,SECURITY ISSUES ,ONLINE SHOPPING ,SSL
>>
>> Abstract/Summary:
>> The title is a bit scary, but I wanted to get your attention
>>(worked, didn't it?). Most
>> security experts have been aware of problems with SSL, but
>>generally speaking we
>> haven't said much because there wasn't much of a replacement
>>available for it,
>> and it hasn't been exploited extensively (chances are it will be,
>>though). I'll start
>> with an explanation of the basic attack, followed by some methods
>>to protect yourself,
>> and finish with an interview with Dale Peterson of DigitalBond and
>>the summary.
>>
>> How to do it
>>
>> Let's say I want to scam people's credit card numbers, and don't
>>want to break into
>> a server. What if I could get people to come to me, and voluntarily
>>give me their
>> credit card numbers? Well, this is entirely too easy.
>>
>> I would start by setting up a web server, and copying a popular
>>site to it, say
>> www.some-online-store.com, time required to do this with a tool
>>such as wget is
>> around 20-30 minutes. I would then modify the forms used to submit
>>information
>> and make sure they pointed to my server, so I now have a copy of
>> www.some-online-store.com that looks and feels like the "real"
>>thing. Now, how do
>> I get people to come to it? Well I simply poison their DNS caches
>>with my information,
>> so instead of www.some-online-store.com pointing to 1.2.3.4, I
>>would point it to
>> my server at 5.6.7.8. Now when people go to
>>www.some-online-store.com they end
>> up at my site, which looks just like the real one.
>>
>> Original URL: http://securityportal.com/closet/closet19990930.html
>>
>> Added: Wed Oct 6 12:41:14 -040 1999
>> Contributed by: Keeffee
----------------------------
David P. Jablon
[EMAIL PROTECTED]
www.IntegritySciences.com
