is SSL still worth using?

[Red Squirrel]

Now that they managed to crack SSL via man in middle attack, is it worth still using? I tend to use it for anything with logins on my site, such as pop3, phpmyadmin etc but since people can use a tool and somehow hijack my session (still don't understand how this part works) and decrypt my packets, is it even worth the hassle? Are they working on patching this issue? It's just kinda scary that if you're sending packets from A to B someone on point C can somehow hijack the session.

 

[Crusty]

Of course it's still worth using. Would you rather submit your credit card numbers using plain text?

 

[Red Squirrel]

That's not the point, that exploit that came out not too long ago will turn your SSL Encryption to plain text.

Say you're currently at your banking site right now, I can somehow intercept your connection with this program and reverse the encryption. I'm not even sure how this program manages to intercept data remotely like that, but that's what the exploit was about. This all while not making a certificate warning.

So right now I could be on a secure site but someone could be intercepting my data with this exploit without me knowing.

http://www.heise.de/english/newsticker/news/133242
Don't think this is the actual exploit though, there's one that does not require the attacker to redirect traffic.

 

[Zugzwang152]

Originally posted by: RedSquirrel
That's not the point, that exploit that came out not too long ago will turn your SSL Encryption to plain text.

Say you're currently at your banking site right now, I can somehow intercept your connection with this program and reverse the encryption. I'm not even sure how this program manages to intercept data remotely like that, but that's what the exploit was about. This all while not making a certificate warning.

So right now I could be on a secure site but someone could be intercepting my data with this exploit without me knowing.

http://www.heise.de/english/newsticker/news/133242
Don't think this is the actual exploit though, there's one that does not require the attacker to redirect traffic.

You should read the article again. It's only easy to exploit if the attacker is on your LAN. It's difficult to exploit remotely, as they'd have to modify ISP network configs or actually be one of your ISP's employees. Anyway, if an attacker is on your LAN, you have bigger troubles than intercepted SSL/TLS communications.

The most common place this is going to occur is on wifi hotspots, or other public shared networks. It's very difficult and highly unlikely a random home user is going to get compromised like this.

 

[Red Squirrel]

Hmm since I recall another article saying the guy testing the program got people's paypal passwords and everything, this was just random people online, not people on his network. This is the part that scared me, as I just don't understand how that's possible without planting a trojan or something and having previous access to part of the network the victim is on.

 

[Zugzwang152]

Originally posted by: RedSquirrel
Hmm since I recall another article saying the guy testing the program got people's paypal passwords and everything, this was just random people online, not people on his network. This is the part that scared me, as I just don't understand how that's possible without planting a trojan or something and having previous access to part of the network the victim is on.

You probably read this one:
http://forums.anandtech.com/me...id=76&threadid=2280161

If you read the article, you will see he used a Tor server he was hosting. He took advantage of the fact that Internet users trusted him by redirecting all their traffic through the anonymizing proxy server and sotle their stuff. So the hard part, which is intercepting the encrypted traffic, was actually very easy.

Just like any other man in the middle attack, he inserted himself between the web server and the user, and had his way with the data. This attack type is not new, and in fact there are many other man in the middle tools out there.

And here's the key quote in the whole article:

Despite the fact that the sites in Marlinspike's tests displayed themselves as "HTTP" instead of "HTTPS," not a single user navigated away from a look-alike site without entering a password.

People need to pay attention if they care about their information. Period.

 

[bsobel]

Originally posted by: RedSquirrel
That's not the point, that exploit that came out not too long ago will turn your SSL Encryption to plain text.

Your posts always make me cringe.

Say you're currently at your banking site right now, I can somehow intercept your connection with this program and reverse the encryption.

No it doesnt

So right now I could be on a secure site but someone could be intercepting my data with this exploit without me knowing.

Not if you initially setup your connection as ssl instead of plain text or your bother to check the URL or certificate being used and not realize its bogus.

 

[Red Squirrel]

Originally posted by: Zugzwang152

Originally posted by: RedSquirrel
Hmm since I recall another article saying the guy testing the program got people's paypal passwords and everything, this was just random people online, not people on his network. This is the part that scared me, as I just don't understand how that's possible without planting a trojan or something and having previous access to part of the network the victim is on.

You probably read this one:
http://forums.anandtech.com/me...id=76&threadid=2280161

If you read the article, you will see he used a Tor server he was hosting. He took advantage of the fact that Internet users trusted him by redirecting all their traffic through the anonymizing proxy server and sotle their stuff. So the hard part, which is intercepting the encrypted traffic, was actually very easy.

Just like any other man in the middle attack, he inserted himself between the web server and the user, and had his way with the data. This attack type is not new, and in fact there are many other man in the middle tools out there.

And here's the key quote in the whole article:

Despite the fact that the sites in Marlinspike's tests displayed themselves as "HTTP" instead of "HTTPS," not a single user navigated away from a look-alike site without entering a password.

People need to pay attention if they care about their information. Period.

That's the one I was looking for. so how exactly does TOR work and how would someone's traffic be forcibly routed through it? i heard it's some kind of distributed proxy network, but still, how would one force someone else's traffic to go through it? people would not purposely use a proxy to go on banking sites, or is there really people THAT stupid?

 

[bsobel]

That's the one I was looking for. so how exactly does TOR work and how would someone's traffic be forcibly routed through it? i heard it's some kind of distributed proxy network, but still, how would one force someone else's traffic to go through it?

Those users specifically ran a tor proxy on their machine or set their browser to use a public one.

people would not purposely use a proxy to go on banking sites, or is there really people THAT stupid?

Yes, people are that stupid.

 

[Red Squirrel]

Hmm so this exploit is just attacking user stupidity then? From the sound of the article it looks more like they are forced unto that proxy somehow. I also have a friend who's somehow hijacked people's connections from A to B while he's on C. Something about a DDoS and windows missrouting packets, but he had little info on it as it's been a long time since he's done it. (got busted, not touching any of that stuff since then) That I still don't get how it's possible. arp poisoning is not the case as arps only stay on a single network segment as far as I know.

Regardless that exploit is still scary as someone could do that on school network for example, and it's undetectable by the client, but at home it should be safe unless the bank's server gets hacked, which would be a whole big problem on it's own.

 

[MedicBob]

It is more about social engineering then the technical aspect. You get someone to trust your proxy and send ALL traffic through it, to you. Collecting that data is relatively simple as it is on your network then.

It isn't always user stupidity, sometimes it's just not being aware of possible security problems with different schemes, programs, etc.

I trust my network at home usually, my work network sometimes, and anywhere else never.