Michael L Torrie wrote: > On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote: > >> This is an optimization. Your host does this with the idea that if you do >> decide to talk to one of these machines from which it has already seen ARP >> traffic, it can skip that step. >> >> As for man-in-the middle, playing with ARP can cause disruption of services, >> and could intercept insecure protocols. Which is why for critical data, ssl >> or other secure mechanism should be used. >> > > Additionally this is why SSL uses certificates that should be verified > to prove that the host is who it says it is. Also ssh key fingerprints > should always be verified. How often do we ssh into a box and just > automatically type "yes" to the fingerprint authorization? > > Michael > The point of my project is to show that in many cases, SSL will not protect you, because it's enabled to late in the game. Many web sites present their login forms over an insecure connection, and then use SSL to process the form. For my project, I wrote a simple proof-of-concept program that (once I have a man-in-the-middle attack going by way of ARP-spoofing), watches for the victim to request a certain page (in this case, the BYU home page), and then my program serves up an altered version. If the client uses the altered login form, their username and password are sent in the clear, and picked up by my program.
Since I've started working on this, I haven't used a login form that wasn't given to me over SSL. Luckily, everything I use has some sort of secure login form somewhere on their site. I've tried to find one for Zion's bank, and haven't been able to. Fortunately, I don't bank with them. -- Topher Fischer GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19 EFF5 2FC3 BE99 D123 6674 [EMAIL PROTECTED]
signature.asc
Description: OpenPGP digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
