Slashdot Mirror
Why One-time Passwords Suck For MITM Attacks
whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."
Is anyone else on the Internet SICK TO FUCKING DEATH of every story/article/anything having a XKCD comic posted as a link in it?
Yes, it's funny.
Yes, we all read it and like it.
No, we don't need you to post a fucking link to it EVERY FUCKING TIME.
Posting as anon because obviously a lot of people are going to think this is a Troll. It's not. I like XKCD. I'm just sick of the 5th comment down every time linking to one of his comics...
Sigh
Shutting them down is stopping short, all the certificates issued by them need to be revoked as well and reissued by another CA after thorough checking.
If there is one documented case there are likely to be many more undocumented cases.
MP3 Search Engine
One place where these attacks actually happen is in hosting facilities. Often the switches are not configured properly and without ARP monitoring MITM attacks are trivial. With unencrypted protocols like FTP still in use, attackers don't even have to work that hard.
You do know that you don't have to click on every link that you see on a web page, right?
Somebody, preferably a government agency, should be in charge of testing CAs. CAs have very strong economic incentives to loosen verification rules in order to compete and sell more certificates. When one CA loosens its rules a little bit, all the others are compelled to do the same to stay competitive. It's a race to the bottom.
Market forces cannot solve the problem because there's a fundamental information asymmetry. Joe Myspace isn't going to understand what a root CA is, much less manually remove it from his browser. And even if he did understand what that meant, would he lose access to his favorite SSL-protected sites for some egghead's paranoid security fears?
We need regulation, and we need it now. We need several free, worldwide certificate revocation lists, and we need agencies running these lists to randomly and anonymous ensure CAs are following the verification rules.
Having just one CRL gives too much power to one authority, which is especially dangerous if these authorities are organs of government. Browsers should check all CRLs and consider a certificate invalid if, say, two-thirds of the CRLs say to do so.
In any case, the current situation is untenable.
Then, I must be the real one and not that poser from xkcd.
Authority is subjective. Once everyone realizes this, they might as well switch to the OpenPGP trust model, which acknowledges it, instead of trying to hide this inescapable truth from the user.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
...OTP subject to MITM? ...speechless... your kidding me... ... can't be... oh wait we all knew that for over a decade now.
Just because you heard it at defcon does not make it something new or novel but its still a great excuse to party :)
The latest and greatest authentication algorithms support crypto bindings of the authentication system to encryption key production to prevent these sorts of layered attacks from working.