And I understand your post now, my bad. Always should read things twice:P . AP spoofing is a big threat, and it's yet another good reason why never to enter your credit card to access wifi anywhere (besides the whole having to pay part:P ).
Who said anything about using public hotspots for secure transactions? Always a bad idea.
That said, the best way I've found to work around this limitation is to have an SSH server on my box at home, and set up my laptop to tunnel all my web traffic over SSH to my desktop. Any MITM attacks are then easily detected, because any potential attacker would have to present a different public key to either side, and SSH will report the probable MITM and exit. It also encrypts all traffic until it gets to your home network, preventing any packet sniffing. Here's a short tutorial I wrote up on the topic, it's a lot easier than you'd think: http://spareclockcycles.wordpress.com/2009/04/10/ssh-secure-browsing-via-socks-proxy/
I was at a McDonald's just today and tried to get on the wireless there. Unfortunately, it was a godforsaken Boingo hotspot (same as the ones that I curse at the airport on a regular basis), and the first thing it asked me for was my credit card number. Needless to say, I didn't stick around long...
You have missed something:P. All DVDs are encrypted via what's known as CSS, a very weak encryption but an encryption nonetheless. On Linux, libdvdcss will take care of that decryption for you transparently, but you do need to already have it installed for any of these ripping tools to work (including Handbrake). On Windows, you need to get something like AnyDVD or DVD43 to decrypt the DVD for you.
No offense, but having a good understanding of XSS attacks at 17 doesn't exactly equate to the mathematical and analytical abilities of Edward Dijkstra. I know I don't put myself anywhere near that level. In fact, I'd argue that the chances are well in favor of him doing something like this again, except worse, rather than his becoming someone who does something beneficial for the world. I mean, look at all the attention he has gotten for this. Imagine what would happen if he does something worse! Punish him now, make him understand the gravity of his actions.
Well, I do, Firefox 3 on Ubuntu. Don't know what to tell you. I agree, doesn't really increase security all. But it sure does make people feel safe, and that's what really matters, right?:P
From everything I've read about this attack, it does not present an https:/// URL on unencrypted traffic, just attempts to trick you into thinking it is encrypted by covertly changing all the https:/// links to http:/// and presenting a padlock favicon on supposedly encrypted sites. It mainly relies on the hope that you don't notice the http:/// link. I would be interested to hear where you have seen otherwise though.
If you're using Firefox, unlike in the demonstration shown on the sslstrip site, it will show you where the link on a button goes to. Make sure that the mouseover link says https:/// and you should at least be better off. Although, then you can start doing things with javascript to change what the mouseover property displays, so there's still room for an attack I guess. Like I said, better to just make sure that there isn't a MITM and its not a problem.
On a side note, I did notice though that Bank of America (a site he showed off the attack on) has since made their home page SSL encrypted. Good for them.
Check to see if the URL to the site begins with http:/// before you login. If it does, and it's displaying a padlock icon (suggesting that it is 'secure'), then you're being attacked. Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.
Also, as interesting as this attack is, it should be noted that it does require the attacker to have network access (so he can perform the MITM attack, usually through ARP spoofing). There are a number of ways to fight arp spoofing, but if you're on a small network, just set static arp tables on your machines and you've done pretty much all you can do. The attacker can still attempt to get access at your ISP and on the other end, at the web host, but handling that much traffic without being noticed would be difficult, so I doubt one would try it. (and I'm sure someone will now prove me wrong...:P)
Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safety of my shoe. It's deceptive.
Yeah, because it's not deceptive to claim that an operating system has no exploitable flaws without source code, let alone a formal proof, that that is so...I think "less vulnerable" is an entirely accurate assessment.
And I wouldn't take those shoes on a plane with you...last guy who did that got thrown in jail for the rest of eternity.
At least it is if this means that any business can just grab their VMWare drive images and throw them into VirtualBox instead. If so, they really are giving VMWare a run for their money. Giving users an easy way to migrate their VMs and supporting all the features that VMWare does if not more, all while being FREE, is really going to make a strong case for VirtualBox.
In other words, it doesn't matter that RSA can be broken by large botnets. If it can't be broken as I'm making the request, or before I receive the answer, then it's too late.
Unless they have recorded your encrypted communications, to break open at their earliest convenience...
That being said, RSA is quite secure. Maybe not to the degree of elliptical curve cryptography, but it is sufficient imho. For the time being, even the largest of botnets/giant government data centers are going to have a tough time factoring a 1024 bit key. If they really were worried and wanted to make it more secure, simply using a 2048 bit instead would do wonders. Barring some kind of mathematical breakthrough, I don't see it being broken in the near future.
Slashdot Mirror
And I understand your post now, my bad. Always should read things twice :P . AP spoofing is a big threat, and it's yet another good reason why never to enter your credit card to access wifi anywhere (besides the whole having to pay part :P ).
Who said anything about using public hotspots for secure transactions? Always a bad idea.
That said, the best way I've found to work around this limitation is to have an SSH server on my box at home, and set up my laptop to tunnel all my web traffic over SSH to my desktop. Any MITM attacks are then easily detected, because any potential attacker would have to present a different public key to either side, and SSH will report the probable MITM and exit. It also encrypts all traffic until it gets to your home network, preventing any packet sniffing. Here's a short tutorial I wrote up on the topic, it's a lot easier than you'd think: http://spareclockcycles.wordpress.com/2009/04/10/ssh-secure-browsing-via-socks-proxy/
I was at a McDonald's just today and tried to get on the wireless there. Unfortunately, it was a godforsaken Boingo hotspot (same as the ones that I curse at the airport on a regular basis), and the first thing it asked me for was my credit card number. Needless to say, I didn't stick around long...
They're just a developing country. (http://www.telecomasia.net/article.php?id_article=8986)
No prob, easy mistake. I remember experiencing the same thing on Windows a long while back, very annoying at the time.
You have missed something:P. All DVDs are encrypted via what's known as CSS, a very weak encryption but an encryption nonetheless. On Linux, libdvdcss will take care of that decryption for you transparently, but you do need to already have it installed for any of these ripping tools to work (including Handbrake). On Windows, you need to get something like AnyDVD or DVD43 to decrypt the DVD for you.
No offense, but having a good understanding of XSS attacks at 17 doesn't exactly equate to the mathematical and analytical abilities of Edward Dijkstra. I know I don't put myself anywhere near that level. In fact, I'd argue that the chances are well in favor of him doing something like this again, except worse, rather than his becoming someone who does something beneficial for the world. I mean, look at all the attention he has gotten for this. Imagine what would happen if he does something worse! Punish him now, make him understand the gravity of his actions.
FAIL. Wrong link, my apologies...Google apparently hasn't cached it yet...
Here's a link to Google's cached version of the blog, in case anyone still wants to read it: http://tinyurl.com/cspfrq
You won't find one better than Handbrake, works great for me. Here's a howto I wrote on the topic: http://spareclockcycles.wordpress.com/2008/12/11/handbrake-for-dvd-ripping-on-ubuntu/
Well, I do, Firefox 3 on Ubuntu. Don't know what to tell you. I agree, doesn't really increase security all. But it sure does make people feel safe, and that's what really matters, right? :P
Yeah, you're right. My bad. Someone at Bank of America must have seen that demo and added in some javascript to do that.
While telltale signs of the switch remain â" the Web address starts with HTTP rather than HTTPS â" most users do not even notice.
http://www.securityfocus.com/brief/910
From everything I've read about this attack, it does not present an https:/// URL on unencrypted traffic, just attempts to trick you into thinking it is encrypted by covertly changing all the https:/// links to http:/// and presenting a padlock favicon on supposedly encrypted sites. It mainly relies on the hope that you don't notice the http:/// link. I would be interested to hear where you have seen otherwise though.
If you're using Firefox, unlike in the demonstration shown on the sslstrip site, it will show you where the link on a button goes to. Make sure that the mouseover link says https:/// and you should at least be better off. Although, then you can start doing things with javascript to change what the mouseover property displays, so there's still room for an attack I guess. Like I said, better to just make sure that there isn't a MITM and its not a problem.
On a side note, I did notice though that Bank of America (a site he showed off the attack on) has since made their home page SSL encrypted. Good for them.
Check to see if the URL to the site begins with http:/// before you login. If it does, and it's displaying a padlock icon (suggesting that it is 'secure'), then you're being attacked. Really, you should already be wary when a site asks you for login information over HTTP rather than HTTPS.
Also, as interesting as this attack is, it should be noted that it does require the attacker to have network access (so he can perform the MITM attack, usually through ARP spoofing). There are a number of ways to fight arp spoofing, but if you're on a small network, just set static arp tables on your machines and you've done pretty much all you can do. The attacker can still attempt to get access at your ISP and on the other end, at the web host, but handling that much traffic without being noticed would be difficult, so I doubt one would try it. (and I'm sure someone will now prove me wrong...:P)
>
Hearing someone say my right shoe is merely "less likely to spontaneously explode" than an unexploded munition from WW2. leads an uninformed observer to question the safety of my shoe. It's deceptive.
Yeah, because it's not deceptive to claim that an operating system has no exploitable flaws without source code, let alone a formal proof, that that is so...I think "less vulnerable" is an entirely accurate assessment. And I wouldn't take those shoes on a plane with you...last guy who did that got thrown in jail for the rest of eternity.
At least it is if this means that any business can just grab their VMWare drive images and throw them into VirtualBox instead. If so, they really are giving VMWare a run for their money. Giving users an easy way to migrate their VMs and supporting all the features that VMWare does if not more, all while being FREE, is really going to make a strong case for VirtualBox.
In other words, it doesn't matter that RSA can be broken by large botnets. If it can't be broken as I'm making the request, or before I receive the answer, then it's too late.
Unless they have recorded your encrypted communications, to break open at their earliest convenience...
That being said, RSA is quite secure. Maybe not to the degree of elliptical curve cryptography, but it is sufficient imho. For the time being, even the largest of botnets/giant government data centers are going to have a tough time factoring a 1024 bit key. If they really were worried and wanted to make it more secure, simply using a 2048 bit instead would do wonders. Barring some kind of mathematical breakthrough, I don't see it being broken in the near future.