[Dshield] Banks Shifting Logins to Non-SSL Pages
Valdis.Kletnieks at vt.edu
Wed Aug 24 04:17:51 GMT 2005
On Tue, 23 Aug 2005 10:32:12 EDT, Roland Green said:
> If a client is not alert (ie checking the certificate), a bad guy that
> sits in between a client and a server can spoof/alter your web pages
> regardless of if the server uses SSL or not.
Close, but no cee-gar. Yes, a MITM attack *will* work against an unaware
user, but it's not your best bet...
Think about it.. Once it leaves your computer, it's really non-trivial
to snarf/intercept the packet for most consumer connections. You can hack a router,
and try to pick one flow off an OC-48. You can hack the webserver, you
can play DNS games. But those are all non-trivial challenges in most cases.
or you can just hack the user's computer and install a keystroke logger. And
at that point the SSL stuff doesn't matter....
Low hangin' froot, doods. Always go for the low hangin' froot.... :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050824/3bf2b7de/attachment.bin
More information about the list