This is a problem with SSL 2.0 first discovered by Simon Spero then at
EIT.
It was fixed in SSL 3.0, that must be almost three years ago.
The server certificate now binds the public key to a specific Web server
address.
Phill
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robert Hettinga
Sent: Wednesday, October 06, 1999 4:22 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Is SSL dead? (was Re: ECARM NEWS for October 06,1999 Second
Ed.)
At 2:00 PM -0400 on 10/6/99, [EMAIL PROTECTED] wrote:
> Title: Special Kurt's Closet: Is SSL dead?
> Resource Type: News letter
> Date: Semptember 30, 1999
> Source: Security Portal
> Author: Kurt Seifried
> Keywords: INTERNET/WWW ,SECURITY ISSUES ,ONLINE SHOPPING ,SSL
>
> Abstract/Summary:
> The title is a bit scary, but I wanted to get your attention
>(worked, didn't it?). Most
> security experts have been aware of problems with SSL, but
>generally speaking we
> haven't said much because there wasn't much of a replacement
>available for it,
> and it hasn't been exploited extensively (chances are it will be,
>though). I'll start
> with an explanation of the basic attack, followed by some methods
>to protect yourself,
> and finish with an interview with Dale Peterson of DigitalBond and
>the summary.
>
> How to do it
>
> Let's say I want to scam people's credit card numbers, and don't
>want to break into
> a server. What if I could get people to come to me, and voluntarily
>give me their
> credit card numbers? Well, this is entirely too easy.
>
> I would start by setting up a web server, and copying a popular
>site to it, say
> www.some-online-store.com, time required to do this with a tool
>such as wget is
> around 20-30 minutes. I would then modify the forms used to submit
>information
> and make sure they pointed to my server, so I now have a copy of
> www.some-online-store.com that looks and feels like the "real"
>thing. Now, how do
> I get people to come to it? Well I simply poison their DNS caches
>with my information,
> so instead of www.some-online-store.com pointing to 1.2.3.4, I
>would point it to
> my server at 5.6.7.8. Now when people go to
>www.some-online-store.com they end
> up at my site, which looks just like the real one.
>
> Original URL: http://securityportal.com/closet/closet19990930.html
>
> Added: Wed Oct 6 12:41:14 -040 1999
> Contributed by: Keeffee
-----------------
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".
