Comments on: HTTPS web hijacking goes from theory to practice http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/ Because technology isn't just for geeks Tue, 24 Jan 2012 20:02:45 +0000 hourly 1 http://wordpress.org/?v=3.0.3 By: George Ou http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1407 George Ou Mon, 02 Mar 2009 20:06:33 +0000 http://www.formortals.com/?p=166#comment-1407 You don't need to use cookies for this. The web browser keeps a much simpler and more compact white list.<br><br>"Another problem is that HTTPS does not work with load balancing and anycasting, which is why many banking homepages are insecure."<br><br>What in the world are you talking about? Most load balancers have very capable HTTPS offloaders. Almost all of the banks I criticized a few years ago have adopted HTTPS on everything. You don’t need to use cookies for this. The web browser keeps a much simpler and more compact white list.

"Another problem is that HTTPS does not work with load balancing and anycasting, which is why many banking homepages are insecure."

What in the world are you talking about? Most load balancers have very capable HTTPS offloaders. Almost all of the banks I criticized a few years ago have adopted HTTPS on everything.

]]> By: Andrew Daviel http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1406 Andrew Daviel Mon, 02 Mar 2009 20:04:29 +0000 http://www.formortals.com/?p=166#comment-1406 One way to identify the correct website is by using cookies. The website gives you a permanent secure cookie with an informal ID. When you revisit the site, the login page says "welcome back Joe" and turns green BEFORE you login. If it does not, the page does not "look right".<br>It's not watertight, but it's better than nothing. TD Canada Trust online banking does this.<br><br>Another problem is that HTTPS does not work with load balancing and anycasting, which is why many banking homepages are insecure. Some even put the login form on the insecure page, which is just stupid. Sure, the traffic is encrypted, but the user can't see that, and the whole page might be hijacked to go somewhere completely different. One way to identify the correct website is by using cookies. The website gives you a permanent secure cookie with an informal ID. When you revisit the site, the login page says "welcome back Joe" and turns green BEFORE you login. If it does not, the page does not "look right".
It’s not watertight, but it’s better than nothing. TD Canada Trust online banking does this.

Another problem is that HTTPS does not work with load balancing and anycasting, which is why many banking homepages are insecure. Some even put the login form on the insecure page, which is just stupid. Sure, the traffic is encrypted, but the user can’t see that, and the whole page might be hijacked to go somewhere completely different.

]]> By: George Ou http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1396 George Ou Wed, 25 Feb 2009 18:48:14 +0000 http://www.formortals.com/?p=166#comment-1396 DNS does a lot more than resolve IP to name. This is why there are custom records used for things like SenderID, domain keys, etc. DNS does a lot more than resolve IP to name. This is why there are custom records used for things like SenderID, domain keys, etc.

]]> By: TS http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1395 TS Wed, 25 Feb 2009 18:47:07 +0000 http://www.formortals.com/?p=166#comment-1395 I think the solution to use DNS as a means to force HTTPS connections is not a wise one.<br><br>DNS is a translator. It translates a name to an IP. It does not make connections for you, either HTTP or HTTPS, the browser does once it resolves the IP.<br><br>The problem is the browser, which isn't context aware to know when to make SSL connections verses standard HTTP. It relies on URLs for deciding security which is plain text which is nonsecure, and can experience man in the middle attack. I think mandatory SSL requirement is kinda stupid. George, you are confusing encryption with security.<br><br>Personally, I think browsers are on the way out. Custom applications built on top of programmable cell phones using SOAP and WS-Security standardization will make the browser obsolete.<br><br>But we still need a solution for the browser world. I propose that we add a special HTML tag to require all browsers implement special login buttons that require SSL. There, problem solved. A PostViaSSL button within browsers that user can visually identify apart from standard Post buttons. I think the solution to use DNS as a means to force HTTPS connections is not a wise one.

DNS is a translator. It translates a name to an IP. It does not make connections for you, either HTTP or HTTPS, the browser does once it resolves the IP.

The problem is the browser, which isn’t context aware to know when to make SSL connections verses standard HTTP. It relies on URLs for deciding security which is plain text which is nonsecure, and can experience man in the middle attack. I think mandatory SSL requirement is kinda stupid. George, you are confusing encryption with security.

Personally, I think browsers are on the way out. Custom applications built on top of programmable cell phones using SOAP and WS-Security standardization will make the browser obsolete.

But we still need a solution for the browser world. I propose that we add a special HTML tag to require all browsers implement special login buttons that require SSL. There, problem solved. A PostViaSSL button within browsers that user can visually identify apart from standard Post buttons.

]]> By: George Ou http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1390 George Ou Sun, 22 Feb 2009 04:05:55 +0000 http://www.formortals.com/?p=166#comment-1390 You come on my fake wireless hotspot and I can make a fake Open DNS server using the exact same IP address you've configured it to. If you point to a DNSSEC server, I can't fake that but I can block access to it and then what?<br><br>The point is that you need a local white list cached on your computer for this scenario. You come on my fake wireless hotspot and I can make a fake Open DNS server using the exact same IP address you’ve configured it to. If you point to a DNSSEC server, I can’t fake that but I can block access to it and then what?

The point is that you need a local white list cached on your computer for this scenario.

]]> By: Matt http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1389 Matt Sun, 22 Feb 2009 04:03:55 +0000 http://www.formortals.com/?p=166#comment-1389 So, if I'm understanding this correctly, configuring your laptop OS to always use a trusted DNS (such as OpenDNS) even when out an about would solve the problem as well? Is that correct? I know OpenDNS has instructions on how to configure many OSes to always use their servers:<br><br>https://www.opendns.com/start/computer/ So, if I’m understanding this correctly, configuring your laptop OS to always use a trusted DNS (such as OpenDNS) even when out an about would solve the problem as well? Is that correct? I know OpenDNS has instructions on how to configure many OSes to always use their servers:

https://www.opendns.com/start/computer/

]]> By: George Ou http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1388 George Ou Fri, 20 Feb 2009 06:03:13 +0000 http://www.formortals.com/?p=166#comment-1388 fixed fixed

]]> By: gary http://www.formortals.com/https-web-hijacking-goes-from-theory-to-practice/comment-page-1/#comment-1387 gary Fri, 20 Feb 2009 06:01:29 +0000 http://www.formortals.com/?p=166#comment-1387 missing a word:<br> but we (NEED) a full implementation of these recommendations and we need everyone to jump on board missing a word:
but we (NEED) a full implementation of these recommendations and we need everyone to jump on board

]]>