full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] FD / lists.grok.org -

Re: [Full-disclosure] FD / lists.grok.org - bad SSL cert

From: <Valdis.Kletnieks_at_nospam>
Date: Mon Jan 05 2009 - 21:54:57 GMT
To: Tim <tim-security@sentinelchicken.org>


On Mon, 05 Jan 2009 13:29:52 PST, Tim said:
> > > How is that better, really? Run tcpdump or ettercap... Either of the
> > > tools are off the shelf.
> >
> > And if the site is using a self-signed cert, how does a 3rd party tcpdump
> > manage to get a *decrypted* datastream? Yes, you can still do traffic analysis
> > on the "X talked to Y with packet sizes A, B, and C" level, but you can't
> > look at the data.
>
>
> You're missing the point of my comment:
>
> Plaintext communication => use tcpdump
>
> Encrypted without a cert => use ettercap (or something similar)

I believe I stated *up front* that it doesn't secure against an active MITM attack. Once ettercap presents a *different* certificate than the one you were expecting, the victim can at least potentially notice (the same way that OpenSSH complains if it discovers that a host key is different).

There's also issues with getting things like ettercap working if you don't have access to the last-hop subnet (good luck sniffing all the traffic between two routers looking for one netflow ;)

No, I don't claim that Joe Sixpack will notice if they're ettercap'ed. However, fine distinctions like the difference between "just throw ettercap at it" and "this protects against passive sniffing but not active MITM" are often important in this business.



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/