[Dshield] Eavesdropping

Stephane Grobety security at admin.fulgan.com
Mon Jun 7 07:32:02 GMT 2004


TE> It's possible to hijack an https session, it has been done and it
TE> will be done again:

TE> http://www.ws.afnog.org/afnog2004/t1/security/crypto-slides.pdf

That PDF is an excellent summary of several key concept in computer
crypto systems: Thank you, I will be re-using it.

What is doesn't contains, however, is anything to back up your own
comment: that HTTPS sessions can, are and will be hijacked.

I've asked another poster to come up with some reference material
before but perhaps my question was a bit too complex in formulation,
so I'll try again:

Do you have reference material that points to a non-trivial way to
hijack an HTTP session between a modern, widely deployed web browser
and a modern, widely deployed web server given the three following
factors:

1/ It doesn't rely on the user making the wrong choice.
2/ The server key hasn't been stolen by the attacker in a way that
isn't directly related to the SSL protocol.

I'll remind you that "non-trivial", when speaking about an attack on a
crypto system, excludes solution like exhaustive key space search.

Thanks,
Stephane




More information about the list mailing list