|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Paweł Krawczyk (kravietz_at_aba.krakow.pl)
Date: Sat Aug 10 2002 - 02:45:17 CDT
On Wed, Aug 07, 2002 at 12:24:19PM -0700, Mike Benham wrote:
> First of all, https://www.thoughtcrime.org is NOT the demo site. Several
> people were confused by this email, and subsequently concluded that their
> browser isn't vulnerable because they got an alert that the "name on the
> certificate is invalid." If you would like to see a demo of this
> vulnerability, please email me offline.
By the way, I've performed full man-in-the-middle with a real bank
involved and myselft as victim. It's easy and works perfectly, so I've put
a brief description and screenshots at http://arch.ipsec.pl/inteligo.html
Details on programs' setup and fake certificate generation are omitted
not to provide script-kiddies with a ready recipe.
Actually, you can use Mike's https://www.thoughtcrime.org/ as demo
site but you first need to DNS spoof your browser into thinking
that www.amazon.com has address of 66.93.78.63, which is easy using
dnsspoof from dsniff for example.
-- Paweł Krawczyk, Kraków, Poland http://echelon.pl/kravietz/ crypto: http://ipsec.pl/ horses: http://kabardians.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]