Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why One-time Passwords Suck For MITM Attacks

Posted by CmdrTaco on from the my-password-is-pass1234 dept.

whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."

7 of 138 comments (clear)

  1. Thawte by an.echte.trilingue · · Score: 4, Informative

    Thawte does this; look about halfway down the page

    I must say that in general I have been unsatisfied with thawte. They gave me a hard time about re-issuing my cert after the debian-ssl debacle and in general their tech support people don't know anything beyond what is already on their site.

    Seriously, I pay over a hundred clams a year just to so that I can have ssl communication without the "OMFG THIS SITE IS GONNA HAXOR YOU" dialog box pop up in user's browsers, and they pull all kinds of monkey business.

    But since verisign owns them, I wouldn't hold my breath for them to be shut down. My guess is the other CAs do this, too.

    --
    weirdest thing I ever saw: scientology advertising on slashdot.
  2. Re:has anyone experienced the following: by carleton · · Score: 2, Informative

    Most VPN Clients I've used support a split tunnel mode... the idea being that data going to your company's internal LAN goes through the VPN tunnel ; data going elsewhere goes outside the tunnel. The idea here is that if you're trying to do stuff on the public network (that's assumed to be less sensitive to begin with), you don't have to wait for the traffic to flow from your computer to your company and then to the site you want (worst case being if you wanted to say stream music off your music server on your home LAN)

    That would be my guess.

  3. Re:too bad for the new blizzard authenticators by Anonymous Coward · · Score: 1, Informative

    Not necessarily, the Blizz client can rely on a single CA for it certs from the server. The key to the success of this exploit is that there are several CAs that the browsers accept.

  4. Re:This is NOT an attack on SSL VPN by tgd · · Score: 4, Informative

    You miss the point -- they are issuing a valid cert for an internal address.

    "intranet" would be an example. Not intranet.mydomain.com.

    Since your DNS will append mydomain.com automatically, it leaves you vulnerable to anyone who installs an "intranet" cert on a server they have spoofed into your DNS if you the browse to "intranet".

    If "intranet" is an SSL VPN, then they can get in the middle and get your OTP.

  5. Re:xkcd comic by geminidomino · · Score: 2, Informative

    It frightens me that you got modded "insightful"

  6. Re:xkcd comic by bigstrat2003 · · Score: 2, Informative

    To be fair, that video is fuckin' awesome, if not particularly action-packed.

    --
    "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
  7. Re:xkcd comic by ZorbaTHut · · Score: 2, Informative

    He's not a dick, he's an asshole.

    You should get your eyes checked.

    --
    Breaking Into the Industry - A development log about starting a game studio.