nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to aefstoggaflm
Re: [complaint] SSL page, please
said by aefstoggaflm  :In the meantime while waiting for a SSL page, this is an example what user(s) could do... If there is an actual point to doing this, you have failed to explain what that point is.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.14 |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs: | Feel good maybe? About verifying the certificate is actually valid. |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
2 edits |  reply to nwrickert
said by nwrickert :said by aefstoggaflm :In the meantime while waiting for a SSL page, this is an example what user(s) could do... If there is an actual point to doing this, you have failed to explain what that point is. You know very well what the point is.
No SSL page equals
A person doing a "man in the middle attack" can
#1 Just remove the S from the URL starting with HTTPS, making the data being sent in the clear the them.
#2 They make sure that the site gets the URL starting with HTTPS.
#3 OR last but not least, they can change the SSL Certificate so that the data is securely sent to them.
About the third possible thing: I point to the two post(s) by Woody79_00 in one my thread(s).
»Re: Warning: The browser model is really broken
»Re: Warning: The browser model is really broken
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
1 edit | reply to drew
said by drew :Feel good maybe? About verifying the certificate is actually valid. You are correct on the dot.
--
It would be a lot easier (obvious) that there is a SSL page, this way users do not have to look at the source code.
All they have to do is check the certificate. |
|
aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
·Verizon Online DSL
1 edit | reply to nwrickert
said by nwrickert :The secure login form is transmitted using https, so the login is secure. What is the problem?
#1 There are SSL accelerators
From Security Now! with Steve Gibson, Episode 217 for October 8, 2009: The Broken Browser Model.
quote:
Steve: Well, exactly. And that's the point, is it's the concentration effect that individual end users could all be negotiating these SSL connections with no problem. But a server that's handling tens of thousands of connections per second, suddenly it ends up just collapsing. So the good news is, servers today, processors today are far faster. This is why there are so-called "SSL accelerators." You can buy SSL hardware that does this very expensive public key handshake in hardware to offload the burden from the server software because it's traditionally been so expensive.
#2 HTTP 1.1 exist.
From Security Now! with Steve Gibson, Episode 217 for October 8, 2009: The Broken Browser Model.
quote:
One of the changes in HTTP 1.0, because it was recognized that this was dumb, if we had a lot of transactions back and forth as we walked around interacting with a single site, why keep bringing up and dropping these connections? So the HTTP 1.0 model, and that's a little agreement in the query that the browser makes that says I'm using what protocol version, and so all browsers now support HTTP 1.1, it'll say this is what I'm using. And in one of the headers they'll say, I'm willing to keep this alive. And so it's a keep-alive header. So the server says, oh, whew, thank you. And so the spec says that a client, a web client, can and will have a maximum of two connections at a time to the remote server. And it's able to reuse them. So the client is able to send a stream of queries down those connections and receive a disambiguated stream of responses back. So in that model it's much less expensive to establish two connections which are SSL because now they're persistent.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact. |
|
drew
Reformation
Premium
join:2002-07-10
Port Orchard, WA
clubs:
1 edit | I think you've expressed your desire for a directly HTTPS login page clearly to the site staff.
--
Come play Mafia! | My Picture Blog |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to aefstoggaflm
said by aefstoggaflm :A person doing a "man in the middle attack" can #1 Just remove the S from the URL starting with HTTPS, making the data being sent in the clear the them. Then my browser warns me that I am sending data unencrypted, and gives me the option to cancel or approve.
#3 OR last but not least, they can change the SSL Certificate so that the data is securely sent to them. In most cases, my browser will warn me about problems with the security certificate, such as it not matching the site name, or not being certified by a trusted CA.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.14 |
|
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
| reply to aefstoggaflm
I, personally, think that we should worry about DSLR members who use multiple accounts, so they can act like trolls\\\\\\ idiots, anonymously. And about DSLR members who use pictures of birds whirling disco lights.
I don't see any benefit to a man-in-the-middle attack against a person surfing DSLR Forums. Nor do I see that you have described any scenario where someone might try such an attack.
I fail to see that you have proven any real risk, should DSLR Forums continue, in its present "unsecure" configuration.
Object
--
Cheers,
Chuck
MS-MVP 2005-2009 [Windows - Desktop Experience]
Nitecruzr Dot Net |
|
