[Dshield] Banks Shifting Logins to Non-SSL Pages

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Aug 24 04:17:51 GMT 2005


On Tue, 23 Aug 2005 10:32:12 EDT, Roland Green said:
> If a client is not alert (ie checking the certificate), a bad guy that 
> sits in between a client and a server can spoof/alter your web pages 
> regardless of if the server uses SSL or not.

Close, but no cee-gar. Yes, a MITM attack *will* work against an unaware
user, but it's not your best bet...

Think about it.. Once it leaves your computer, it's really non-trivial
to snarf/intercept the packet for most consumer connections.  You can hack a router,
and try to pick one flow off an OC-48.  You can hack the webserver, you
can play DNS games.  But those are all non-trivial challenges in most cases.

or you can just hack the user's computer and install a keystroke logger. And
at that point the SSL stuff doesn't matter....

Low hangin' froot, doods.  Always go for the low hangin' froot.... :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050824/3bf2b7de/attachment.bin


More information about the list mailing list