WingNews logo WingNews
top | item 18089512

(no title)

adamconroy | 7 years ago

I don't see how this 'man' in the middle could actually intercept passwords, except for http, but who runs auth over http anyway. For https, the 'man' would have to substitute its own certificate and then the browser / client software wouldn't trust the cert/domain combination without the end user being extremely stupid (and knowledgeable enough to achieve the stupidity).

discuss

order

jeffmcjunkin|7 years ago

It could use something like bdfproxy[1] to intercept HTTP-downloaded EXE files, then add some persistent malware in _addition_ to whatever the EXE was doing. This has been done before, over Tor[2].

The malware doesn't have to add a new root certificate, either, though that's completely possible. The Zeus trojan [3] does "man-in-the-browser" to intercept banking information, for example.

[1] https://github.com/secretsquirrel/BDFProxy

[2] https://www.pcworld.com/article/2839152/tor-project-flags-ru...

[3] https://en.wikipedia.org/wiki/Zeus_(malware)

adamconroy|7 years ago

so the spoofer distributing these devices is going to all this trouble/expense/risk in the hope there is a http downloaded exe it can corrupt, then hopes the hashing doesn't fail on that corrupt exe, and hopes the user ignores the untrusted source warning so that it can install a trojan?

Ajedi32|7 years ago

SSL stripping perhaps? There are still plenty of sites that don't implement HSTS, and not all users are vigilant enough to notice when the site they're visiting suddenly doesn't have HTTPS anymore.

Web security has been improving a lot in recent years, but it's not yet at the point where a man in the middle isn't a relevant threat.

joeframbach|7 years ago

You type in http://yourbank.com, your bank respomds with a 301 to https, but this helpful router instead takes you to its phishing site. Lots of people wouldn't notice.

earenndil|7 years ago

Or it redirects you to https:// yöurbank .com/, and you see the green padlock and think nothing more of it.

Edit: made HN not mangle the link.

krn|7 years ago

What about DNS spoofing[1] at the local network level?

[1] https://en.wikipedia.org/wiki/DNS_spoofing

p49k|7 years ago

The spoofer wouldn’t be able to obtain a valid certificate for the spoofed site, though.

adamconroy|7 years ago

it might redirect to a malicious web page, but https would still prevent a problem. perhaps read the article you posted.

empath75|7 years ago

What are the odds that someone dumb enough to install this would be scared off by an insecure site warning?

alangpierce|7 years ago

I think Chrome for a while has simply refused to let you visit a page when there's an SSL problem (at least for certain types of problems), which seems like a reasonable solution to the "people will just ignore warnings" problem.