Why One-time Passwords Suck For MITM Attacks

whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."

Thawte

[an.echte.trilingue]

Thawte does this; look about halfway down the page

I must say that in general I have been unsatisfied with thawte. They gave me a hard time about re-issuing my cert after the debian-ssl debacle and in general their tech support people don't know anything beyond what is already on their site.

Seriously, I pay over a hundred clams a year just to so that I can have ssl communication without the "OMFG THIS SITE IS GONNA HAXOR YOU" dialog box pop up in user's browsers, and they pull all kinds of monkey business.

But since verisign owns them, I wouldn't hold my breath for them to be shut down. My guess is the other CAs do this, too.

Re:This is NOT an attack on SSL VPN

[tgd]

You miss the point -- they are issuing a valid cert for an internal address.

"intranet" would be an example. Not intranet.mydomain.com.

Since your DNS will append mydomain.com automatically, it leaves you vulnerable to anyone who installs an "intranet" cert on a server they have spoofed into your DNS if you the browse to "intranet".

If "intranet" is an SSL VPN, then they can get in the middle and get your OTP.