@PrevxHelp

Hi, i saw you respond in post 12 here http://www.wilderssecurity.com/showthread.php?t=269917

-{ Quote: "Protection is also provided over malicious HOSTs files and LSP chain entries which could redirect browsing and any malware trying to use man-in-the-browser hooking to redirect the user is also immediately prevented." }-

-{ Quote: "SafeOnline also goes a few steps further to detect and remove covert proxies, whether hosted locally or remotely, that try to redirect traffic through them." }-

I would be very interested to know if P/SOL is able to protect us from MITM attacks etc, with regards to the following type of scenarios ?

Law Enforcement Appliance Subverts SSL

http://www.wilderssecurity.com/showthread.php?goto=newpost&t=268422

In particular a product such as this for example http://www.packetforensics.com/govt.safe

I believe now the cat is out of the bag, and these type of attacks, and similar, are not fiction any more, they potentially pose a real great threat. Whether it's .GOV snoops and the like, using those " not so secret anymore " :P pipes etc in San Francisco and elsewhere, or the other regular bad guys intercepting/altering etc our data flow.

I know it sounds a lot to ask, but i'm asking ;D as you mentioned MITM. I don't expect an immediate answer as there is a fair bit to digest, 10 minutes is ok though :D

excellent post/contribution. was not aware that SSL chain break in is possible that way.

recently had Opera problems with recognising VeriSign class 3 SSL certificate on https://www. gmx.net. At first I was suspecting a flaw in Opera, but now... ...Opera perhaps just doing its job right, the site mentioned belongs to one of the largest email providers in Germany and would certainly make a perfect target for any surveillance body

On IE8 SafeOnline says the certificate is ok though. Cannot test on Firefox as being on 3.7 and SO not yet being compatible.

Curios what PREVX will reply to you

@vtol

Thanks :thumb:

-{ Quote: "Curios what PREVX will reply to you" }-

Me too :)

@PrevxHelp or someone from Prevx

Nudge Nudge ;) ;)

The issue of a physical man in the middle attack is indeed a difficult one to circumvent. If someone is able to track all of the traffic from your PC by inserting a physical device between your PC and the ISP, there isn't anything that any software product can do to fully circumvent it. Without trying to toss lighter fluid on the potential privacy fire, it would be fair to note that this type of situation is quite rare and it would likely be easier to break into one's house and steal their credentials from the physical PC sitting at their desk than to manipulate the connection at the ISP/routing point level :)

However, it would be interesting to see what legislation comes from this - there are cases where a court can serve a warrant to an ISP to get traffic logs and irrespective of how secure the transmission may seem, there isn't much that can be done at that level to get around a government mandate.

Although it may seem to be a great way to snoop on a user, it will require physical access so I'd recommend locking any cable connection points with a physical lock or still having an identity monitoring service if you are a high net worth customer and more likely to be a threat by a manual attack.

Can a piece of drive-by malware from a Russian website cause this?... no it cannot :)

Without trying to fuel any other conspiracy theories, it would still be far more likely in my personal opinion for a bank teller to steal data in person or physical ATM machines being compromised (i.e. http://www.fiercefinanceit.com/story/ex-bank-america-employee-accused-atm-fraud/2010-04-10)

It is a difficult world to live in when trying to secure your livelihood, which is why SafeOnline tries to add as many layers of protection as possible :)

I hope that answers your question without me being on my soapbox for too long! ;D

Assuming we are talking about a MITM attack against a secure site, say your banking website, then there are two critical aspects/possibilities:

1. a DNS hijack to a fraudulent site. That site may still have its own SSL certificate but the certificate validation checks will fail against the common name. It is down to the user whether they act upon the warnings their browser issues. There are steps SOL could take here to tighten up the security when this event happens, to ensure the connection doesn't proceed.

2. The fraudulent website has obtained a copy of the private key of the genuine website. In that situation it is game over. However the liability clearly lies with the website. The only possible way SOL could help in that case is if it kept a list of the IP address ranges associated with each banking website when you visit it. If you suddenly find yourself going to the same site in Russia, even though it has the correct SSL certificate, alarms bells could be sounded.

-{ Quote: "
1. a DNS hijack to a fraudulent site. That site may still have its own SSL certificate but the certificate validation checks will fail against the common name. It is down to the user whether they act upon the warnings their browser issues. There are steps SOL could take here to tighten up the security when this event happens, to ensure the connection doesn't proceed." }-

A DNS level hijack will be detected by SafeOnline - it cross references the DNS that is being resolved on your PC with the global resolution either supplied by the bank itself or fed from out other users. It allows us to quickly get a picture of what websites are legitimate and which aren't :)

-{ Quote: "2. The fraudulent website has obtained a copy of the private key of the genuine website. In that situation it is game over. However the liability clearly lies with the website. The only possible way SOL could help in that case is if it kept a list of the IP address ranges associated with each banking website when you visit it. If you suddenly find yourself going to the same site in Russia, even though it has the correct SSL certificate, alarms bells could be sounded." }-

Similarly to #1, SafeOnline compares the IP address during the DNS verification to try to find malicious websites automatically. We have blacklisting functionality for IPs/DNS servers but we primarily work off of our triangulation. Granted, there is some leeway allowed (i.e. for websites hosted via Akamai or servers that have multiple data centers in different countries) but if the target website is popular enough to have been seen by a handful of users across the Prevx community, it will automatically have full protection of the resolution and destination of the website :)

@PrevxHelp

Thanks for replying :thumb:

-{ Quote: "Being able to track all of the traffic from our PC by inserting a physical device between our PC and the ISP" }-

Was one scenario, the other MITM Anywhere between our PC and our final destination/s ?

If i've understood correctly, which i may not have ;D P/SOL only prevents MITM attacks locally within our PC ?

Not faulting that, even if that's what P/SOL does, it's great to have :thumb: Just wanted to be clear about it's capabilities, don't expect miracles ;) Well not this week anyway, but v4 ;D

So we're safe from the Ruskies :thumb: but what about everyone else ;D Only kidding ;)

-{ Quote: "
If i've understood correctly, which i may not have ;D P/SOL only prevents MITM attacks locally within our PC ?
" }-

It seems to me that if your DNS servers would be hacked and you're being sent to another IP with a fake 'trap' site that SOL warns you that the IP is not correct, so that would mean the protection is not restricted to your locally within your PC.
But I'm not 100% sure, so please correct me if I'm wrong.

-{ Quote: "It seems to me that if your DNS servers would be hacked and you're being sent to another IP with a fake 'trap' site that SOL warns you that the IP is not correct, so that would mean the protection is not restricted to your locally within your PC.
But I'm not 100% sure, so please correct me if I'm wrong." }-

This is exactly correct - SafeOnline's protection extends from the local PC to the resources that the PC uses (the DNS servers and individual IP addresses).

The point which I believe CloneRanger was making in the first post is that it is possible for someone along the line (physical line ;D) to covertly insert another physical device which can capture traffic and at that level, it is virtually impossible for any software to detect it (the only possible way would be to track resolution times and warn if something appears to have been added, but because of the dynamic nature of the internet, this is likely unfeasible).

@PrevxHelp

-{ Quote: "The point which I believe CloneRanger was making in the first post is that it is possible for someone along the line (physical line ) to covertly insert another physical device which can capture traffic and at that level" }-

Yes i was ;) and locally in general as well, in fact any which way.

Re my earlier link http://www.packetforensics.com/govt.safe

So we're all screwed then :( But wait, what about SteveTX's comments ? http://www.wilderssecurity.com/showthread.php?t=268422

-{ Quote: "how XeroBank defeats MITM attacks. In this case, our certificates are pre-shared with the client inside our software, so *any* deviation from the certificate expected will send a warning to the user and prevent a connection from being created." }-

Sanctury or ?

-{ Quote: "@PrevxHelp

So we're all screwed then :( But wait, what about SteveTX's comments ? http://www.wilderssecurity.com/showthread.php?t=268422

Sanctury or ?" }-

As Steve TX's is pointing out it is their certificate (issued by them?) inside their software. Which in my understanding does not work with e.g. webmail providers, because:

A webmail provider does not issue their own certificates as not being a certifying body such as VeriSign

B they do not have own software but rely on the user's browser

This is just one example, of course it makes sense that banks work with own certificates and software, however the majority of SSL sites do not.

Also Prevx would not work on the banking software but with browser and thus I would think is irrelevant for Prevx. Reckon Prevx cannot deal with certificates if forged/issued by a trusted signing authority in favour of any surveillance body

just been reading about DNSSEC. that something like a cure and to be implemented in P/SO?

http://www.neowin.net/news/dnssec-being-rolled-out-may-5th---internet-will-live-on

-{ Quote: "just been reading about DNSSEC. that something like a cure and to be implemented in P/SO?

http://www.neowin.net/news/dnssec-being-rolled-out-may-5th---internet-will-live-on" }-curious, has this been considered by the developers and found worth to pursue and implement or rather not?

-{ Quote: "curious, has this been considered by the developers and found worth to pursue and implement or rather not?" }-

We have not investigated this yet but it will likely be implemented at the operating system layer as it requires some fundamental protocol changes.

-{ Quote: "We have not investigated this yet but it will likely be implemented at the operating system layer as it requires some fundamental protocol changes." }-great to hear, if you get it to work