TechTalkz.com Logo Ask the Experts!

Go Back   TechTalkz.com Technology & Computer Troubleshooting Forums > Tech Support Archives > Security

Phorm, mitm, and https

Security

 
 
Thread Tools Display Modes
Unread 23-02-2008, 03:22 PM   #1
bealoid
Guest
 
Posts: n/a
Phorm, mitm, and https

{x-posted to alt.privacy and alt.computer.security}

A number of UK ISPs have signed up for Phorm. This is, IMO, pretty bad.

Phorm say that they ignore anything going over https. For the purposes of
this thread, image a rogue, black-hat, Phorm.[1] Or even a rogue, black-
hat, ISP.

Ann, at her pc, logs into her internet "bob's Bank" bank account.

What are the steps involved between Ann's browser and the Bob's web page?

Is there anyway for EvePhorm to mount a serios mitm attack?

Is there anyway for EveBlackHatISP to mount a serious mitm attack?

I'm only really interested in attacks that allow Eves to either see the
financial data, or worse. I'd be interested to know what kind of mild data
leaks would be available.

Many thanks for any replies.

Sponsored Links
 
Unread 23-02-2008, 04:24 PM   #2
nemo_outis
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

bealoid <signup@bealoid.co.uk> wrote in
news:Xns9A4D94296AC6FYAsfKJXSTO@194.117.143.37:

You need to read up on SSL.

Simplifying a bit, as long as:

1) the bank (or other destination site) has properly implemented its pages
(doesn't mix http & https, doesn't switch away, etc.), and
2) you actually *check* its SSL certificate to make sure it's for whomever
you're trying to connect to,

you're bombproof.

Regards,

PS This assumes, of course, that your computer is not infested with
spyware, Trojans, and the like and that you practice safe computing by
securing your browser, flushing caches and cookies, etc. or even signing
off after a secure session. In short, SSL protects communications in
transit, it doesn't protect against compromise (and stupid mistakes) at
either end point, especially by a user unreflectively clicking on stuff he
shouldn't (slightly misspelled URLs, etc.).

 
Unread 23-02-2008, 04:24 PM   #3
bealoid
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

"nemo_outis" <abc@xyz.com> wrote in
news:Xns9A4D5BFC23FD9pqwertyu@64.59.135.159:

> bealoid <signup@bealoid.co.uk> wrote in
> news:Xns9A4D94296AC6FYAsfKJXSTO@194.117.143.37:
>
> You need to read up on SSL.


I know! I've got the RFCs and such now.
>
> Simplifying a bit, as long as:
>
> 1) the bank (or other destination site) has properly implemented its
> pages (doesn't mix http & https, doesn't switch away, etc.), and
> 2) you actually *check* its SSL certificate to make sure it's for
> whomever you're trying to connect to,
>
> you're bombproof.


I really thought this was the case. I'm having a gentle argument in a
virginmedia supprt newsgroup.

>
> Regards,
>
> PS This assumes, of course, that your computer is not infested with
> spyware, Trojans, and the like and that you practice safe computing by
> securing your browser, flushing caches and cookies, etc. or even
> signing off after a secure session. In short, SSL protects
> communications in transit, it doesn't protect against compromise (and
> stupid mistakes) at either end point, especially by a user
> unreflectively clicking on stuff he shouldn't (slightly misspelled
> URLs, etc.).


Well, yes. The number of machines that get trojaned by users clicking
the "yes, please instal malware" buttons isn't re-assuring. :-(

 
Unread 24-02-2008, 08:25 PM   #4
ugh
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

128k SSL is crackable, with considerable time and effort.

http://au.answers.yahoo.com/answers2...=1006041124032

http://www.marktaw.com/technology/Ho...etocrackS.html


 
Unread 24-02-2008, 08:25 PM   #5
Sebastian G.
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

ugh wrote:

> 128k SSL



128k? Don't you mean 128 bit?

> http://au.answers.yahoo.com/answers2...=1006041124032



Some illiterates talking about things they don't know and don't understand.

> http://www.marktaw.com/technology/Ho...etocrackS.html


That's obviously a 40 bit key, dude!
 
Unread 24-02-2008, 10:28 PM   #6
Anonymous
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

ugh wrote:

> 128k SSL is crackable, with considerable time and effort.


Please... get your information about cryptanalysis from some source
other than random clueless rubes posting to some Yayhoo forum and/or
learn to read for comprehension.

First of all it's "bits", not "k".

Second of all, if you combined the computing power of every digital
device on the face of the planet and directed that effort toward
cracking a single 128 bit SSL session it would take you significantly
longer than the Earth has existed to crack it, and generate enough heat
to vaporize this corner of the Galaxy in the process.

The mathematics behind that is undeniable. Modern strong encryption is
virtually uncrackable. Period. If any weaknesses exist they're going to
be in the implementation, not the crypto itself.

 
Unread 24-02-2008, 11:32 PM   #7
nemo_outis
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

"Sebastian G." <seppi@seppig.de> wrote in
news:62e19eF22mtvsU1@mid.dfncis.de:

> ugh wrote:
>
>> 128k SSL

>
>
> 128k? Don't you mean 128 bit?
>
>> http://au.answers.yahoo.com/answers2...on?qid=1006041
>> 124032

>
>
> Some illiterates talking about things they don't know and don't
> understand.
>
>> http://www.marktaw.com/technology/Ho...etocrackS.html

>
> That's obviously a 40 bit key, dude!
>


Exactly right, Sebastian!

Regards,
 
Unread 25-02-2008, 05:24 AM   #8
Ari
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:

> 128k SSL is crackable, with considerable time and effort.


I should say lol
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19
 
Unread 25-02-2008, 10:21 AM   #9
Ertugrul Söylemez
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

On Sun, 24 Feb 2008 23:13:56 +0100 (CET)
Anonymous <cripto@ecn.org> wrote:

> The mathematics behind that is undeniable. Modern strong encryption is
> virtually uncrackable. Period. If any weaknesses exist they're going
> to be in the implementation, not the crypto itself.


Unfortunately this is very inaccurate. The mathematics are deniable,
because there are no security proofs. There is strong evidence towards
good security, but nothing is proven here. So currently, we can only
assume security, not take it for granted.


Regards,
Ertugrul.


--
http://ertes.de/

 
Unread 25-02-2008, 09:29 PM   #10
bealoid
Guest
 
Posts: n/a
Re: Phorm, mitm, and https

Sponsored Links
Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@ertes.de> wrote in news:fpu314$9u4$02
$1@news.t-online.com:

> On Sun, 24 Feb 2008 23:13:56 +0100 (CET)
> Anonymous <cripto@ecn.org> wrote:
>
>> The mathematics behind that is undeniable. Modern strong encryption is
>> virtually uncrackable. Period. If any weaknesses exist they're going
>> to be in the implementation, not the crypto itself.

>
> Unfortunately this is very inaccurate. The mathematics are deniable,
> because there are no security proofs. There is strong evidence towards
> good security, but nothing is proven here. So currently, we can only
> assume security, not take it for granted.


I agree, but the evidence is very strong for some versions algorithms, no?

And, until someone does factorisation, cracking an encrypted message is
almost always going to rely on the implementation of the algorithm in
software, the deployment of software on the machine, human weaknesses in
picking good passwords etc.

Sponsored Links
 
 

Thread Tools
Display Modes



< Home - Windows Help - MS Office Help - Hardware Support >


New To Site? Need Help?

All times are GMT. The time now is 12:42 AM.


vBulletin, Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © 2005-2016, TechTalkz.com. All Rights Reserved - Privacy Policy
Valid XHTML 1.0 Transitional