W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Michael Martinez <michael.martinez@xenite.org>
Date: Thu, 18 Dec 2014 18:46:25 -0500
Message-ID: <54936751.8060309@xenite.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev@chromium.org
On 12/18/2014 6:07 PM, Daniel Kahn Gillmor wrote:
> On 12/18/2014 05:55 PM, Michael Martinez wrote:
>> No it doesn't need a certificate.  A MITM can be executed through a
>> compromised or rogue router.  It's simple enough to set up a public
>> network in  well-known wifi hotspots and attract unwitting users. Then
>> the HTTPS doesn't protect anyone's transmission from anything as the
>> router forms the other end of the secure connection and initiates its
>> own secure connection with the user's intended destination (either the
>> site they are trying to get to or whatever site the bad guys want them
>> to visit).
> It sounds like you're saying that browsers don't verify the X.509
> certificate presented by the https origin server, or at least that they
> don't verify that the hostname matches.
> This is a serious and extraordinary claim.  Please provide evidence for it.
> 	--dkg

No, what I am saying is that you can bypass the certificate for a MITM 
attack via a new technique that was published earlier this year.  If you 
compromise someone else's router you can control it from your own nearby 
router.  The compromised router with the valid certificate sends the 
user through whatever gateway you specify.

What makes the access points most vulnerable to attack is the human 
factor.  Someone has to monitor the system for breaches and how often 
does that happen?  It will vary by company and community, depending on 
how well they budget for competent security techs.  And how often are 
these routers replaced with newer models?  Look at what happened with 
the ISPs earlier this year who had to replace all their routers because 
they ran out of pathway memory.  Even the "big guys" who are supposed to 
think about this stuff all the time allow their equipment to depreciate 
off the books or grow old until it's obsolete.

Meanwhile, you're trying to plug holes in a sieve with HTTPS and browser 

Michael Martinez

Received on Thursday, 18 December 2014 23:46:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC