Michael O'Donnell wrote:
> Are you implying that the hijacking of encrypted browser
> sessions is something that we should be worried about?
> If so, I am genuinely interested in hearing more.
> Note that I'm not asking if it is *theoretically*
> possible, but rather if it's something that a normal,
> prudent individual should be worried about more than,
> say, getting whacked on the head by a meteorite...
Is it something that the *average* person should be worried about? Not
really. It takes a great deal of knowledge and time to hijack an
encrypted browser session. However, normal HTTP traffic can be hijacked
quite easily. So, if a site is set up to use htaccess in an unencrypted
fasion before you get to the encrypted site, then it is a lot easier to
do. There are utilities out there that can be used to hijack SSL browser
sessions, but they are not of the point-and-click variety. They usually
require some knowledge of IP spoofing, ARP redirection, and caching
man-in-the-middle attacks.
> How would it be done? Are there any examples of it
> actually happening in circumstances that a "normal" person
> would be likely to find himself?
Connections would be sniffed on the server side so that when you send a
request to the server, you obtain the client-side ARP info, create a
simultanious ARP update, and poison the servers ARP cache (or a router
along the way). Then the info from the server is sent to you, and you
pass it back to the client (basic MITM attack). All traffic between the
client and the server is then passed through you before going to it's
intended destination.
> And I'm talking about
> an encrypted session being "hijacked" once established,
> not during some sort of cleartext/initialization phase,
> or via inside info (e.g. a key or password) being obtained
> by other means.
Does it really matter how the session is hijacked? If you hijack a
cleartext session as the person logs into an encrypted site, you still
gain access. The end result is the same.
Kenny
PS Please note that I am leaving out some major details, since I am not
the type to broadcast a HOWTO on this subject. Oh, and LINUX ;-)
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Paranoia: It's not just for breakfast anymore
Linux: The last service pack that you will ever need
***********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
