On Fri, Jul 07, 2017 at 09:17:28AM -0500, Ken Norton wrote:
>
> However, it gets worse.
>
> The fake hotspot isn't just scraping the traffic, but can intrude in
> ways that will make your blood boil. HTTPS is supposed to be the
> end-all, be-all in secure communications. Right? Normally, yes, but in
> this scenario, I can screw with you big time. Let's say you log into
> gmail. The login screen pulls up the HTTPS address like you expect.
> Even McAfee and what-not is reporting a healthy connection. What your
> computer doesn't know is that my fake hotspot has established a proper
> HTTPS connection to the server with YOUR mac address, and is serving
> you a fake screen to your computer. Your computer still shows HTTPS,
> but what you don't know is that it is anything but secure. You aren't
> communicating with gmail, you are communicating with the spoofer
> device and the spoofer device is communicating with the server. Until
> recently, most hackers only scraped your login ID and password, and
> then would break the link and let you relog back in per normal. To
> stay "hidden" they would get only the information they needed and
> would then go back into listen-mode only. Active hot-spot spoofing is
> easily detectable and a crime. Listening usually isn't.
The SSL (secure sockets layer) protocol used by HTTPS and SSH is
designed to prevent man-in-the-middle attacks like this.
There were a couple of compromisable protocols (SSL3.0 & TLS1.0) which
are now deprecated and nobody should be using any more. Same goes for
updating the 'trusted certificate authorities' which regularly publish
revocation lists. Unfortunately there are many out of date OSs and
browsers that continue to ask for/accept the old protocols and do not
have the up to date CRLs.
The current crop of protocols (TLS1.2 with 2048 bit or larger
certificates) will take too long to crack to be useful to the 'black
hats'.
For the spoofed HTTPS connection to work as Ken has described above the
user would have to OK a broken certificate warning dialog (or have a
very out of date CRL for e.g. gmail - GeoTrust). Unfortunately, most of
us are conditioned to just 'click on through'!.
1: keep your OS/browser patched (this maintains the trusted certificate
authority information and certificate revocation lists)
2: ALWAYS take a look at the web address that you are connected to and
check that the browser is happy with the cert before entering login
details.
3: NEVER accept a broken certificate warning, unless you know why it's
broken.
davidt
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|