Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

Links

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Navigation

Page Summary

Most Popular Tags

Expand Cut Tags

No cut tags

New SSLstrip attack evades SSL security

unixronin: A somewhat Borg-ish high-tech avatar (Techno/geekdom)
[personal profile] unixronin
Friday, February 20th, 2009 01:20 pm

Q:  You're a smart black-hat.  How do you quickly and easily break into a HTTPS secure connection?

A:  You don't.  You attack the underlying HTTP instead.  It's a softer target.

"People only encounter HTTPS via HTTP, so maybe we can think about starting by attacking HTTP," he said.  "Normally, if we're doing man-in-the-middle attacks against SSL, we go straight for SSL, straight after that connection.  But if SSL depends on this other protocol, why don't we look at that first?"

  • Current Location: Gilford, New Hampshire
Flat | Top-Level Comments Only

[identity profile] masgramondou.livejournal.com
Friday, February 20th, 2009 07:54 pm (UTC)
I had a fascinating conversation with Eugene Kaspersky a couple of days ago. He made almost exactly this point only in more general terms using an analogy.

I paraphrase:
"If you were walking around the old town of Barcelona" - we were in Barcelona for Mobile Word - "and you had a wallet with €1million in it you'd be careful to avoid dark corners and pickpockets. But if you are in the Hilton hotel you are less security conscious. So a well dressed con man will talk to you in the Hilton and you'll end up giving him the money to 'invest' "

The problem with computers and the internet is we find it hard to recognise the rough side of town and the conmen in the good side

ext_85396: (Default)
[identity profile] unixronin.livejournal.com
Friday, February 20th, 2009 07:59 pm (UTC)
Precisely. "On the Internet, nobody knows you're a dog." ...Or a con-man, until it's too late.
Flat | Top-Level Comments Only