Full Disclosure: Re: FD / lists.grok.org - bad SSL cert

[Valdis.Kletnieks () vt edu]

On Mon, 05 Jan 2009 13:29:52 PST, Tim said:
> > > How is that better, really?  Run tcpdump or ettercap...  Either of the
> > > tools are off the shelf.
> > And if the site is using a self-signed cert, how does a 3rd party tcpdump
> > manage to get a *decrypted* datastream?  Yes, you can still do traffic analysis
> > on the "X talked to Y with packet sizes A, B, and C" level, but you can't
> > look at the data.
>
> You're missing the point of my comment:
>
>   Plaintext communication => use tcpdump
>
>   Encrypted without a cert => use ettercap (or something similar)
I believe I stated *up front* that it doesn't secure against an active MITM
attack.  Once ettercap presents a *different* certificate than the one you
were expecting, the victim can at least potentially notice (the same way
that OpenSSH complains if it discovers that a host key is different).

There's also issues with getting things like ettercap working if you don't
have access to the last-hop subnet (good luck sniffing all the traffic
between two routers looking for one netflow ;)

No, I don't claim that Joe Sixpack will notice if they're ettercap'ed. However,
fine distinctions like the difference between "just throw ettercap at it" and
"this protects against passive sniffing but not active MITM" are
often important in this business.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/