On 12/02/12 22:50 PM, Richarrd Dawes wrote:
Does anyone know if Firefox is immune to MITB attacks or can detect
them?
Firefox is completely non-immune. It's as if the attacker has taken
over your browser and replaced it with his. There has been some work
done in this area, but not a lot.
See this report on the BBC news website: -
http://www.bbc.co.uk/news/technology-16812064
Right. The SecureId thing is the American solution and was breached by
MITB. Original paper on MITB was inspired by European experiences:
http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf
http://financialcryptography.com/mt/archives/000758.html
Which was written with some inside familiarity. What then happened was
that European banks rolled out programs to use the phone as a
transaction-level signer, and also beefed up "border" controls such that
local banks could work together and stop money moving as fast.
That all worked to contain the problem, and now the 2nd gen attacks are
coming through. E.g., here:
http://financialcryptography.com/mt/archives/001349.html
(BBC article is about first gen attacks, bypassing the SecureId fob
which only authenticates that the person is there, not the transaction).
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
