tcp/routing question...

Phillip T. George phillip at eacsi.com
Tue Jun 7 16:36:21 UTC 2005


bruce wrote:

>which all of this gets back to what i was discussing yesterday, regarding
>knowing that the site you're trying to talk to is the right site! and being
>able to do this from both the client/server side...
>
>in reality, it's become clear that you need to really be able to encrypt the
>client ip address, and send this information to the server. at the same
>time, the server needs to be able to do this, and send it to the client.
>each of these pieces of information are then presented to the cleint
>browser, so the user can more or less determine that they're actually
>dealing with the right machine/site...
>
>this would/should in essence provide a reasonable approach to detecting a
>mitm attack..
>
>now, for this to work.. there would have to be an additional client
>side/server side app that examines the transaction/data stream/ip addresses
>to determine where the traffic is coming from, and to more or less
>validate/match the ip addresses with what the client/server expects..
>
>thoughts/comments...
>
>-bruce
>
>
>-----Original Message-----
>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Andy Green
>Sent: Tuesday, June 07, 2005 9:04 AM
>To: For users of Fedora Core releases
>Subject: Re: tcp/routing question...
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>bruce wrote:
>| andy...
>|
>| right....
>|
>| which means that a mitm attack would have to appear to be both the
>| client/server to the actual server/client...
>|
>| but if what you say is true... then mitm attacks aren't really
>possible with
>| a server/app in the middle of the client/server.
>|
>| keep in mind, i'm not sure this kind of attack is really worth worrying
>| about. but i am concerned.
>
>Scot's short answer is "yes, but" where my short answer is "no", but we
>are saying the same thing.  As Scot said, if you have really intercepted
>the bank's network so you can proxy their traffic, then you can do these
>tricks.
>
>If the situation is that the hopeful MITM machine is somewhere random on
>the Internet and does not control the client or the bank's machines or
>network, no.
>
>There are so many ways to pervert communication that there is always a
>residual chance that you are totally hacked already and just can't tell.
>~ For example, any upstream in Fedora could have been compromised and we
>are all compromised right now: you can't disprove it.  You just have to
>throw up your hands in the end.
>
>- -Andy
>
>  
>

This is why we use encryption!  So that people cannot as easily decrypt 
intercepted traffic.  If you go to the URL of your bank, as provided on 
your credit card statement, sign up, and use a username and password, 
and ONLY return at that URL, provided that they use SSL, you're pretty 
safe.  Never follow a link from an email that requires any kind of 
secure information, even if that link uses SSL :)  The only way that 
your information could be stolen in this case, is if when you signed up, 
that your connection was already stolen, and it was being redirected to 
a different box than it should have been.  That box would also have to 
know what information the bank/CC company would require.  Once they have 
that information, they could do the real sign up.  They would have to 
know A LOT about you to do this though.  Basically for someone to do 
this, they would have to control your internet setup or your computer's 
setup.  At your place of business, this would be your IT director that 
could do it.  Have to have a lot of trust there ;)  Though also...a 
silent virus could do this...most likely it would have to know 
information about A LOT of banks...unless its just targeted at one 
bank.  The idea of it is so simple.  The virus itself would be easy to 
program, but to actually spread the infection and to transmit the data 
to a location that no one would be able to trace.  Thats hard right there :)

Anyone disagree / agree with my view of security here?

Thanks,
Phillip




More information about the fedora-list mailing list