Why One-time Passwords Suck For MITM Attacks

← Back to Stories (view on slashdot.org)

Why One-time Passwords Suck For MITM Attacks

Posted by CmdrTaco on Monday August 18, 2008 @09:11AM from the my-password-is-pass1234 dept.

whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."

8 of 138 comments (clear)

Min score:

Reason:

Sort:

The Love Triangle... by kcbanner · 2008-08-18 09:17 · Score: 5, Funny

Alice and Bob's relationship will be at stake when an unknown interloper...Larry...arrives on the scene. Is this love line segment about to become a love triangle? Will the self-signed certs be accepted?

Coming to you this fall...Larry is...The Man in the Middle.

--
Obligatory blog plug: http://www.caseybanner.ca/
xkcd comic by khasim · 2008-08-18 09:19 · Score: 3, Funny

http://xkcd.com/177/
Eve
1. Re:xkcd comic by eln · 2008-08-18 09:44 · Score: 4, Funny
  
  http://xkcd.com/406/
2. Re:xkcd comic by Chyeld · 2008-08-18 09:52 · Score: 5, Funny
  
  Is anyone else on the Internet SICK TO FUCKING DEATH of every story/article/anything having a XKCD comic posted as a link in it?
  No.
  
  Summer Glau
3. Re:xkcd comic by Anonymous Coward · 2008-08-18 09:58 · Score: 5, Funny
  
  Well just in case he doesn't know...
  Knowing is half the battle.
4. Re:xkcd comic by smallfries · 2008-08-18 10:49 · Score: 3, Funny
  
  Is anyone else on the Internet SICK TO FUCKING DEATH of every story/article/anything having a XKCD comic posted as a link in it?
  My hobby:
  I like to post an xkcd link into every story I come across...
  
  --
  Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
5. Re:xkcd comic by Culture20 · 2008-08-18 11:36 · Score: 3, Funny
  
  That is no-where near an exhaustively-researched word-by-word rebuttal.
  OK...
  
  Is
  Isn't
  
  anyone
  everyone
  
  else
  this
  
  on
  off
  
  the
  Um... you win.
Re:This is NOT an attack on SSL VPN by Diss+Champ · 2008-08-18 09:36 · Score: 5, Funny

Cert authorities are notorious for poor checking. The main thing they check is that they are getting paid. There are things certificates are good for- knowing for sure the first time you see one for a site that they are who they claim they are without further checking is not one of them.