[Dshield] Eavesdropping

Tony Earnshaw tonye at billy.demon.nl
Tue Jun 8 10:53:15 GMT 2004


man, 07.06.2004 kl. 09.32 skrev Stephane Grobety:

> That PDF is an excellent summary of several key concept in computer
> crypto systems: Thank you, I will be re-using it.
> 
> What is doesn't contains, however, is anything to back up your own
> comment: that HTTPS sessions can, are and will be hijacked.

Self-signed, badly implemented certs and clients that do not actually
complain, merely ask for confirmation.

> I've asked another poster to come up with some reference material
> before but perhaps my question was a bit too complex in formulation,
> so I'll try again:
> 
> Do you have reference material that points to a non-trivial way to
> hijack an HTTP session between a modern, widely deployed web browser
> and a modern, widely deployed web server given the three following
> factors:
> 
> 1/ It doesn't rely on the user making the wrong choice.
> 2/ The server key hasn't been stolen by the attacker in a way that
> isn't directly related to the SSL protocol.
> 
> I'll remind you that "non-trivial", when speaking about an attack on a
> crypto system, excludes solution like exhaustive key space search.

You now qualify your question by stating that everyone on every network
must know exactly what he/she is doing and assumes that they care. The
answer to your question is, as you yourself surely are well aware, "no".
But the problem is, as the millions of zombies everywhere prove, that
not everyone knows what they are doing, nor do most of them care -
unfortunately :(

Best,

--Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: tonye at billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list