[Dshield] Banks Shifting Logins to Non-SSL Pages
security at admin.fulgan.com
Tue Aug 23 16:36:28 GMT 2005
I'm not saying that SSl isn't useful when used right, I'm saying it's
almost never used right: poor user training, poor software design and
poor behavior from the SSL certificate providers makes it almost
impossible to do it right.
Just an example using SSL and your free (but rogue) wireless hotspot:
1/ I setup a hotspot so that all HTTP traffic is redirected to an
instruction page. There, I state that company "ACME Phishing inc." is
happy to provide everyone with free wireless services and that, for
security reasons, they ask you to secure your connection to their
hotspot with VPN.
2/ Instruct the users to setup a simple IPsec VPN and, during that
process, ask them to import your CA root "using the defaults". No
virus, no EXE, just a couple of pages of simple to setup wizard.
3/ Let them connect and roam at will. just make sure you redirect the
relevant online banking sites to your own private server (easy to do:
you control the client's DNS) and have these server answer with
perfectly valid X509 server certificates promizing they are "bank of
america", "Fort Knox funds" or whatever.
I bet that if you do that in a hotel room, you'll quickly get a LOT of
people signing up...
It's just an example, mind you: this one relies on the fact that users
aren't properly trained. You could design similar scenarii using all
the problems I've initially outlined.
Tuesday, August 23, 2005, 6:02:26 PM, you wrote:
JBH> with the profileration of wireless hot spots, few of which as of now
JBH> provide strong authentication of the Acces Point/Service provider to the
JBH> client, it would seem that a MIM attact from so-called "evil twin" AP
JBH> against users of www sites such as AMEX. Chase, etc would present a
JBH> greater risk than if these financial service providers continued to
JBH> utilize ssl from the get go.
More information about the list