Well if I understand Tim correctly you wouldn't need a CA. In the attack he mentioned not once do you ever actually look at the ssl content. He's talking about redirecting them to plain http and then setting the session cookie and redirecting them back. Then when the victim logs on over ssl, the session cookie isn't changed and is treated as authenticated. Obviously since you set the cookie, you know what it is and can then impersonate them.
I also agree that it probably wouldn't take too much effort to make that work, anything that can modify traffic ought to do the job easily enough with some tweaking. If not it wouldn't take much effort to whip up something specialized. On Jul 13, 2012 11:15 AM, "Douglas Huff" <[email protected]> wrote: > > On Jul 13, 2012, at 11:07, Tim <[email protected]> wrote: > > > This is complicated, but it's not that much more complicated than what > > existing MitM tools, such as sslstrip, already do. > > Better. I'm fairly certain this entire attack could be > automated/orchestrated with mitmproxy with close to zero code changes. > > Only "hard" part is the procurement of a ca that will work on the target > or finding some "behind the firewall" app to target that already uses a > self-signed/invalid cert the users are used to clicking through.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
