MITM Alert?

Discussion in 'Prevx Releases' started by Konata Izumi, Jun 10, 2010.

Thread Status:
Not open for further replies.
  1. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    How will prevx safeonline alert me if MITM occurs? o_O
    can somebody post a screenshot? :<
     
    Last edited: Jun 10, 2010
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Not sure because I have never experienced one! But I do think that the Browser Window will go Black with a Warning Window in the middle of the screen! But Joe will let us know for sure! ;)

    TH
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Yes, this is correct :) The warning covers the full browser window and will prevent the page from loading until it is acknowledged by the user.

    I don't have a screenshot on hand but can infect myself if there is a desire to see the warning :)
     
  4. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    the warning window, is it going to tell me that it was MITM?
    or it would simply say that the page I'm trying to access is blocked because of something malicious?
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Konata Izumi

    Thanks for asking :thumb: I have a related thread here which you might be interested in MITM Attacks and Prevx/SOL https://www.wilderssecurity.com/showthread.php?t=270119

    @PrevxHelp

    As it already does ? as described above by KI, which i've seen a few times ;) You never mentioned this happening in my thread :( ? Would have made a big difference if you had ;)

    If it's different to the above it would be nice to see :) The total blackout effect certainly gets out attention, no missing that, no excuses :thumb:
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I'd certainly want to see a blocked MITM. :D
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    How will Prevx alert if another computer in the network is compromised causing a MITM?
    Is it possible to get the correct address for the browser but recieve MITM attack and would this subvert Prevx security?

    What alerts would occur if a computer, router, modem or Set Top Box not protected by Prevx is MITM with an in memory mod of tables?
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not entirely sure how to answer the question but as a point of clarification - one of the aspects of SafeOnline's MITM protection is that it runs a query with our central database to see how a website resolves and compares that to what the local PC is seeing the website as. If there is a mismatch, SafeOnline will show a warning message and block the user from browsing until it is corrected (whether this is caused by a router manipulation, HOSTs file change, or any number of other areas that can be modified).
     
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Are you comparing hashes of the website source code to the hash of the same website viewed by the user?

    Seems like you know alot about peoples surfing habits, I'll give you $2 per 1000.

    How does Safe Online handle DNS Rebinding, or is this handled by Prevx?
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No, unfortunately web pages are highly dynamic so hashes don't work. We're looking at the actual addresses that the pages are being served from.

    :p Prevx does not store any personally identifiable information and doesn't store any information at all from SafeOnline.

    SafeOnline primarily handles this by warning if the user is attached to a covert proxy which will prevent the victim from connecting to a "rebound" DNS.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Searching_ _ _

    :D

    PrevxHelp
    I was going to up it to $3 :D

    :thumb:
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is fully protected in SafeOnline by the same underlying functions that detect mismatched IP addresses - it identifies the user's attempt to go to an HTTPS website and the subsequent behind-the-scenes redirection to an HTTP website. An interesting attack nonetheless, but if you don't use SafeOnline, you can circumvent it by always going to the https* version of a website directly (although indeed that isn't always possible, but for banks/credit cards, it should be :))
     
Thread Status:
Not open for further replies.