How to help Prevent MITM attacks

See what you think of it, & if you find some interesting www's with other ratings/colours as well, show them

DNSSEC "supposedly" protects against man-in-the-middle exploits.

 

Can you think of another way to protect against MITM?

Question: Would you trust an extension to run in the same browser you use to access your bank account?

If the answer is no, then think of another way to protect against MITM, in such situation.

 

No, can you ? Please enlighten us if you can

I don't do online banking You mean this extension, or Any ? You think it's dodgy ?

*

Funny thing, DNSSEC Validator has an OARC DNS checker option to use, but shows the RED key on their www I would have expected them to be GREEN

Test my DNS http://entropy.dns-oarc.net/test

I got GREAT on Everything but still see the RED key for their www

Also Google is listed as Gold in OARC Members https://www.dns-oarc.net but i see RED ?



Same without HTTPS ?

 

Think about the quote you provided from the BitDefender article.

What can you come up with based on that info?

Any extension. Would you access your bank account with a browser running extensions? Or, with a clean one?

 

Depends on the type of MITM attack. I don't know enough about this service.

The best thing to do is to just try and prevent the entire attack entirely by securing your router.

 

Unless you mean for eg, using Tor or a VPN ? In that case they "should" prevent MITM's, other than those options though, & several of my BHO's/Plugins/Extensions, i wish i could say for certain what "might" help prevent such a thing !

You mean, hypothetically if i did bank online, which i don't, as i said Yes i would, these.

Calomel SSL Validation / Force-TLS / Ghostery / HTTPS-Everywhere / NoScript / JavaScript Options / RequestPolicy / BetterPrivacy / Adblock Plus / & maybe the DNSSEC Validator too, but i havn't made my mind up on it yet, as i only installed it today.

Also my Prevx PSOL has a browser BHO/Plugin/Extension which is designed for banking protection, amongst other things, & i & lots of people consider that safe to bank online with.

If you could be more specific as to why you believe BHO's/Plugins/Extensions "might" not be a good idea, i'm sure more than just myself would like to hear

@ Hungry Man

From what i've gathered, even having the best router in the world won't prevent MITM attacks. That's because they are performed "somewhere" between your router/modem & your final destination www, in the "infamous" cloud. Feel free to correct me if i'm in error, and/or anyone else

 

MITM attacks consist of a few methods. All of them center around the attacker being between you and your destination.

1) Take over someone's personal router and "set up shop" there.
2) Attack via public/ shared network (starbucks etc)
3) Control their DNS/ route them to a DNS you control (through malware)
4) Control their ISP (you're boned)
5) Contorl their government (you're really boned)

So you should choose a DNS service that you know secures their servers (not by preventing malware but by the methods to actually secure the servers themselves) and you should harden your router as much as possible.

I don't know of any decent ways to detect certain MITM attacks. There are various methods though and some are more effective than others.

 

Only useful if your important website uses DNSSEC. Thanks for the new freebie anyhow.

 

wow that is helpful

i've been a subject for a lot of MITM attacks in the last month


GOV spying on us

 

What happens with this MITM?

BitDefender says this (Who am I to say otherwise? )

The part where I made emphasis is the key sentence. The fake version of the site will be in a server the attacker controls, correct? Different IP, correct? The only difference being that the domain name is the same, hence DNS spoofing. But, the IP is different.

Now, I won't say that this will be possible for everything, because it won't, as it will be impossible to keep track, but for things like home banking you can protect yourself against it by restricting communications to your bank server IPs.

Bank IPs don't change that often, and 2, 3 IPs tops (it's the number of IPs both my relative's bank and mine (different banks) have), constantly changing, even in a single session. Find out what the IPs are and restrict the browser you use to connect only to those IPs.

In case a MITM attack occurs, you won't* be able to communicate with either of the servers, bank's and attacker's. You'll know something is wrong.

The IP is different, and that's what you got to remember.

-edit-

You won't ever communicate witht the bank. You would be communicating with the attacker, and the attacker with the bank in your behalf. Hence, you wouldn't be able to get in touch with either of the servers.

 

What i said

Great, please spill the beans

Pleasure

@ m00nbl00d

Re - redirecting users to a fake version of the site

Yeah i get all that What about the BHO's/Plugins/Extensions you asked about me using ? How would they affect MITM ?

 

When I say "various methods" I don't mean of protection. I mean of using MITM.

And MITM attacks do not necessarily show you a fake version of the site. They can show you a very much legitimate version of the site.

And the IP doesn't necessarily have to be different. In an example with SSLStripper it absolutely doesn't have to be a different IP. What I'm curious about is whether the IP would actually be different with a spoofed certificate in a more typical MITM.

 

Gotcha

Yeah that's a bad boy for sure

Good question

 

I think your computer makes the IP request as always, the attacker gets it and does his thing, and then he continues to show google your address as per a typical connection. No IP changes necessary, unlike a DNS poisoning attack.

 

Wouldn't restricting communication to port 443 (https) take care of that, though?

I'm not that familiar with sslstripper. I've heard of it (not sure where), but never really looked much into, as I believed restricting communications to port 443 (https) would take care of that.

 

Yes, I believe it would. But it would break any sites that don't use HTTPS.

 

Which is why is a good idea to have two separate browsers. One for general browsing and another one for home banking. It's my opinion, anyway.

And, you're right that the website doesn't have to be a fake. I meant as a fake the server/website. I believed that the communication initiated by the user was/is diverted by the attacker to his/her own server, and from the attacker's server he/she (the attacker) would be the one actually contacting with the bank/other, while the user still believed he/she was communicating with the bank?

I'm not talking about SSLstripper, as restricting to port 443 would take care of that.

 

That would break SSLStripper but not necessarily of MITM attack. (Ah, I see you got to that at the end of the post)

Yes, it would go User -> Attacker -> Bank (or whatever) but the user would still be sending to the bank's IP and the bank would still be sending to the User's IP.

 

Regarding the SSL certificate. I got this from OWASP website:

Source: https://www.owasp.org/index.php/Man-in-the-middle_attack

The user will be estabilishing a connection to the attacker's server, which I believe would be in a different IP? Then from there, the attacker would initiate a new SSL connection to the bank's web server (in my example).

To make it look legit, then the attacker would use a stolen certificate, like recent events showed us.

 

Yeah, the thing I'm still wondering about is if it's a different IP. If your attacker has control over your router you'll make IP request X and the router will redirect to Y, Y goes to the endpoint Z and then back and forth. All the while X and Z should be making their typical IP requests with Y redirecting them.

Gonna need someone who knows the specifics. I may ask a friend.

 

For Firefox users:
Perspectives
Convergence

 

@ m00nbl00d

Can you please expand more about the BHO's/Plugins/Extensions you asked about me using ? How would they affect MITM ?

Look forward

@ MrBrian

Thanks I've been using Calomel SSL Validation for some time

 

With Firefox it involves Javascript. Extensions can execute Javascript at the same level as the user and even sometimes as Admin. Also Firefox does a lot of DNS work itself, like with Prefetching. If the Firefox DNS info gets altered by malicious intention through an extension, it will affect what results are listed, like in Google, populating your results with malware infested links.

Extensions that would be more of a problem, I think, are extensions that update themselves frequently. This would make it possible for the extension creator or another attacker to control the browser through Firefox's built in functionality.

 

@ Searching_ _ _

Thanks for posting wonder where m00nbl00d's gone ?

As i mentioned earlier, amongst other things i have NoScript on Max. Also i have disabled Prefetching, & 99% of the time i use HTTPS Scroogle.

I do however take on board your general points/advice about the Firefox DNS info, & extensions that can update themselves.

*

My main interest is not getting infected with malware via MITM, but rather how we could/can prevent, or help prevent, and/or detect MITM interference by WHOEVER, somewhere/anywhere between our router/modem & the www's we Choose to visit.

*

 

My initial post regarding extensions had a simple fact: They can get access to whatever they want and send it back to their creators.

Imagine you do home banking (I know you don't, but suppose you do.), would you trust ANY extension that much power? Would you put all of your trust in NoScript's developer, etc? Can't any of them simply go rogue?

Extensions, if people must use them, are good for general web browsing to block ads and that crap if their browser doesn't do it natively, or if they don't want to use a hosts file, for example. But, keep them out of your browser when accessing your bank account and other sensitive information.

The same could be said about security vendors. We all know some security vendors have been hacked in the past, and some twice/ more than twice.

What if an attacker gets hold of, say, Prevx (I hope Joe won't come with a bat!) or Trusteer servers?

In the end, it's all about trust. What do think would happen faster? An extension developer going rogue or a security vendor getting hacked?

If you really got to take care of bank affairs, go there in person. lol