Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why One-time Passwords Suck For MITM Attacks

Posted by CmdrTaco on from the my-password-is-pass1234 dept.

whitehartstag writes "Black Hat 08 disclosed several SSL VPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-In-The-Middle attack on SSL VPN tunnels. This article walks you through how using certificates, instead of OTP tokens, for second-factor authentication can increase the security of your SSL VPN against these new types of attacks."

8 of 138 comments (clear)

  1. The Love Triangle... by kcbanner · · Score: 5, Funny

    Alice and Bob's relationship will be at stake when an unknown interloper...Larry...arrives on the scene. Is this love line segment about to become a love triangle? Will the self-signed certs be accepted?

    Coming to you this fall...Larry is...The Man in the Middle.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
  2. This is NOT an attack on SSL VPN by ugen · · Score: 5, Interesting

    This isn't an attack on anything, really.

    Here is what the article says:
    "They will then go to all of the trusted CAâ(TM)s and try to get them to issue them a valid âoeinternal onlyâ certificate with the FQDN of a target sslvpn URL. As soon as they get a success, that company now becomes their target of choice. Remember, the certificate they need can be issued from any trusted CA in the browser and does not need to match the CA that the SSLVPN gateway is using."

    Now, may be I am not understanding the purpose of SSL certificates and the PKI infrastructure in general, but I was under distinct impression that the whole reason those authorities exist is to verify who they give the certificate to, and in such a way that we, users, can trust these certificates.

    If this is not correct, and anyone can with relatively minor effort get certificate for a random domain name from one of recognized cert. authorities - game over, none of this matters, the entire PKI infrastructure is in the crapper.

    So, either we have to deal with cert. authorities signing things they should not or this is not an attack that is worth discussing. Everything else is a half-measure.

    1. Re:This is NOT an attack on SSL VPN by Diss+Champ · · Score: 5, Funny

      Cert authorities are notorious for poor checking. The main thing they check is that they are getting paid. There are things certificates are good for- knowing for sure the first time you see one for a site that they are who they claim they are without further checking is not one of them.

  3. long story short... by brunascle · · Score: 5, Interesting

    The guy was able to buy a certificate for Microsoft's login.live.com, from an undisclosed CA that's trusted by IE by default, because he checked a box saying it was only going to be used for internal use.

    Please reveal the CA. They need to be shut down.

    1. Re:long story short... by jacquesm · · Score: 5, Insightful

      Shutting them down is stopping short, all the certificates issued by them need to be revoked as well and reissued by another CA after thorough checking.

      If there is one documented case there are likely to be many more undocumented cases.

      --
      MP3 Search Engine
    2. Re:long story short... by QuoteMstr · · Score: 5, Insightful

      Somebody, preferably a government agency, should be in charge of testing CAs. CAs have very strong economic incentives to loosen verification rules in order to compete and sell more certificates. When one CA loosens its rules a little bit, all the others are compelled to do the same to stay competitive. It's a race to the bottom.

      Market forces cannot solve the problem because there's a fundamental information asymmetry. Joe Myspace isn't going to understand what a root CA is, much less manually remove it from his browser. And even if he did understand what that meant, would he lose access to his favorite SSL-protected sites for some egghead's paranoid security fears?

      We need regulation, and we need it now. We need several free, worldwide certificate revocation lists, and we need agencies running these lists to randomly and anonymous ensure CAs are following the verification rules.

      Having just one CRL gives too much power to one authority, which is especially dangerous if these authorities are organs of government. Browsers should check all CRLs and consider a certificate invalid if, say, two-thirds of the CRLs say to do so.

      In any case, the current situation is untenable.

  4. Re:xkcd comic by Chyeld · · Score: 5, Funny

    Is anyone else on the Internet SICK TO FUCKING DEATH of every story/article/anything having a XKCD comic posted as a link in it?

    No.
     
    Summer Glau

  5. Re:xkcd comic by Anonymous Coward · · Score: 5, Funny

    Well just in case he doesn't know...

    Knowing is half the battle.