- From: Michael Martinez <michael.martinez@xenite.org>
- Date: Thu, 18 Dec 2014 18:46:25 -0500
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev@chromium.org
On 12/18/2014 6:07 PM, Daniel Kahn Gillmor wrote: > On 12/18/2014 05:55 PM, Michael Martinez wrote: >> No it doesn't need a certificate. A MITM can be executed through a >> compromised or rogue router. It's simple enough to set up a public >> network in well-known wifi hotspots and attract unwitting users. Then >> the HTTPS doesn't protect anyone's transmission from anything as the >> router forms the other end of the secure connection and initiates its >> own secure connection with the user's intended destination (either the >> site they are trying to get to or whatever site the bad guys want them >> to visit). > It sounds like you're saying that browsers don't verify the X.509 > certificate presented by the https origin server, or at least that they > don't verify that the hostname matches. > > This is a serious and extraordinary claim. Please provide evidence for it. > > --dkg > No, what I am saying is that you can bypass the certificate for a MITM attack via a new technique that was published earlier this year. If you compromise someone else's router you can control it from your own nearby router. The compromised router with the valid certificate sends the user through whatever gateway you specify. What makes the access points most vulnerable to attack is the human factor. Someone has to monitor the system for breaches and how often does that happen? It will vary by company and community, depending on how well they budget for competent security techs. And how often are these routers replaced with newer models? Look at what happened with the ISPs earlier this year who had to replace all their routers because they ran out of pathway memory. Even the "big guys" who are supposed to think about this stuff all the time allow their equipment to depreciate off the books or grow old until it's obsolete. Meanwhile, you're trying to plug holes in a sieve with HTTPS and browser warnings. -- Michael Martinez http://www.michael-martinez.com/ YOU CAN HELP OUR WOUNDED WARRIORS http://www.woundedwarriorproject.org/
Received on Thursday, 18 December 2014 23:46:54 UTC