Please explain how a hotspot sending a "splash page" can read keystrokes entered on an encrypted page without installing a trojan keystroke logger program. Do you understand how SSL and certificates work?
Dave
I'm with Magicbus, and not following this either. If you are speaking specifically about keyloggers, it would have to be installed on your end. Your updated anti-virus/anti-malware software would be your first defense. Second, use a password utility to cut and paste your passwords when logging into a site. Keyloggers record key strokes. You can further protect against software keyloggers on your system by using a keystroke encryption utility such as KeyScrambler. They have a free version KeyScrambler Personal which you can download here.
magicbus wrote: In spite of what many would like to believe, if you see the httpS:// your immediate web page session is secure. The security extends far beyond the wifi hotspot you are using all the way to the end server at your bank or whatever. Your keystrokes entered on this page can NOT be logged by the hotspot unless a trojan virus has been installed on your computer.
Dave
NOT totally true. If the hotspot you are accessing sends you to a splash page to logon your keystrokes CAN be monitored remotely.
If you had read my post 30 seconds later you would have seen I added "Your keystrokesentered on this pagecan NOT be logged by the hotspot ".
Please explain how a hotspot sending a "splash page" can read keystrokes entered on an encrypted page without installing a trojan keystroke logger program. Do you understand how SSL and certificates work?
Dave
Its called an MITM attack, look it up. Contrary to what you think you know, TLS and SSL are vulnerable to attack.
And YES, I understand SSL and TLS VERY well.
p.s. I think I have explained this before. have spent some time in the black hat community
* This post was
edited 09/24/09 10:00pm by an administrator/moderator *
If referring to a "Man in the Middle" exploit, it's not going to make much difference whether you are using a secure or unsecured WiFi hotspot. Compromising secure WiFi would be a walk in the park compared to exploiting SSL. Bottom line is whether you trust the network you are using. Also, if you trust your SSL session. It would still take a fairly elaborate setup to exploit an SSL session just to target you specifically. I personally do not have an issue of using an unsecured WiFi spot for SSL sessions.
* This post was
last
edited 09/24/09 01:40pm by 1492 *
View edit history
Kart-Racer wrote: Its called an MITM attack, look it up. Contrary to what you think you know, TLS and SSL are vulnerable to attack.
And YES, I understand SSL and TLS VERY well.
p.s. I think I have explained this before. have spent some time in the black hat community
Wow until I googled it I thought "black hat" was part of the CIA . If you did explain your association with the "black hat" community it is so secret it was hidden from the forum search engine..
In this case I would be pleased to provide one to you if you would be so kind as to complete your halfway explanation of how SSL with a certificate issued by a CA would be compromised by a Man In The Middle attack. As I understand it, Public Key Infrastructure employing a Certificate Authority does not require in-the-clear transmission of key information. Each party in a session should already have enough information available without exchanging it over the air in the clear. Are you saying this is not the case?
Dave
* This post was
edited 09/24/09 10:02pm by an administrator/moderator *
Life doesn't come with a safety fence around it... enjoy it anyway.
Kart-Racer wrote: Its called an MITM attack, look it up. Contrary to what you think you know, TLS and SSL are vulnerable to attack.
And YES, I understand SSL and TLS VERY well.
p.s. I think I have explained this before. have spent some time in the black hat community
Wow until I googled it I thought "black hat" was part of the CIA . If you did explain your association with the "black hat" community it is so secret it was hidden from the forum search engine..
In this case I would be pleased to provide one to you if you would be so kind as to complete your halfway explanation of how SSL with a certificate issued by a CA would be compromised by a Man In The Middle attack. As I understand it, Public Key Infrastructure employing a Certificate Authority does not require in-the-clear transmission of key information. Each party in a session should already have enough information available without exchanging it over the air in the clear. Are you saying this is not the case?
Dave
To put it simply, we would have a script on a raduis server that renegotiates the key length to very small key, by negotiating that this is the only level of encryption that it understands. then simply cracks it.
"Jan 05, 2009. The recent research highlighting the alarming practice of Secure Socket Layer (SSL) Certificate Authority (CA) vendors using the MD5 hashing algorithm (which was known to be broken since 2005) has shown a major crack in the foundation of the Web. While the latest research has shown that fake SSL certificates with MD5 hashes can be forged to perfection when the CA (such as VeriSign's RapidSSL) uses predictable certificate fields, the bigger problem is that the web has fundamentally botched secure authentication."
* This post was
edited 09/24/09 10:04pm by an administrator/moderator *
Thanks for the link to the pdf. It was an interesting read except that it discusses the vulnerability of the older SSL 2.0 rather than 3.0 which prevents renegotiation of key length. When looking at my Firefox configuration I see that I have 2.0 disabled and 3.0 enabled by default.
With regards to Mr. Ou's statement, in response to research published in 2008 Verisign RapidSSL discontinued the used of the MD5 algorithm in the same month he put forth his statement. They also offered to replace any outstanding MD5 server certificate at no charge so it is probably safe to assume the OP's bank has updated theirs.
I would say that given the use of SSL 3.0 and the removal of the crackable MD5 encryption method, the OP is as safe doing his online secure work from a wifi site as he is from the comfort of his home (where all he has to worry about is Comcast technicians with a lot of tools at their disposal).
magicbus wrote: Thanks for the link to the pdf. It was an interesting read except that it discusses the vulnerability of the older SSL 2.0 rather than 3.0 which prevents renegotiation of key length. When looking at my Firefox configuration I see that I have 2.0 disabled and 3.0 enabled by default.
With regards to Mr. Ou's statement, in response to research published in 2008 Verisign RapidSSL discontinued the used of the MD5 algorithm in the same month he put forth his statement. They also offered to replace any outstanding MD5 server certificate at no charge so it is probably safe to assume the OP's bank has updated theirs.
I would say that given the use of SSL 3.0 and the removal of the crackable MD5 encryption method, the OP is as safe doing his online secure work from a wifi site as he is from the comfort of his home (where all he has to worry about is Comcast technicians with a lot of tools at their disposal).
Dave
Well, since my last post got deleted and others edited by our way too PC moderators im done ( I wish they would sack up and PM you a reason why).
I agree IF using SSL 3 you are safe "er".... if the companies take the initiative to update etc.
And I don't think I ever said (will have to re read post) the OP was not safe. I have no trouble doing my banking via wifi, and do so all the time.
Well don't feel badly, my post from last night was deleted too. I was pleasantly surprised this thread was still open this morning to allow me to post a more comprehensive response.
Well, since my last post got deleted and others edited by our way too PC moderators im done ( I wish they would sack up and PM you a reason why).
If you had left out the personal comments, none of your posts would have been edited.
There were two posts deleted, one that was "over the top" and one that quoted the other one - Of course we do not allow direct reference to material that has been deleted or edited.
If it your nature to include personal attacks in your posts, you will get lots of edits or deletions.
Well, since my last post got deleted and others edited by our way too PC moderators im done ( I wish they would sack up and PM you a reason why).
If you had left out the personal comments, none of your posts would have been edited.
There were two posts deleted, one that was "over the top" and one that quoted the other one - Of course we do not allow direct reference to material that has been deleted or edited.
If it your nature to include personal attacks in your posts, you will get lots of edits or deletions.
If you are speaking specifically about keyloggers, it would have to be installed on your end. Your updated anti-virus/anti-malware software would be your first defense. Second, use a password utility to cut and paste your passwords when logging into a site. Keyloggers record key strokes. You can further protect against software keyloggers on your system by using a keystroke encryption utility such as 
Offline
. If you did explain your association with the "black hat" community it is so secret it was hidden from the forum search engine..
