|  | Posted by "bruce" on 11/22/05 08:58 
your questions are on point...
 if you're going to really talk about doing transactions... it appears to me
 that you really need to solve this. www.passmarksecurity.com claims to have
 solved this.. although i'm not sure i agree with them.. for one, i can't
 find a thorough independent analysis, for two, from what i can tell... they
 rely on the server app getting information from the browser. their approach
 appears to depend on their belief that the intermediary (fake) app can't be
 in the middle, therefore they'll only get valid information from the 'real'
 browser...
 
 as far as i can tell, their solution is to look at certain information (mac
 address/headers/etc...) that they're inclined to believe can't be
 altered/spoofed. i'm not buying it!!!!
 
 as far as i can tell... you essentially need multiple information streams on
 the client(browser) machine coming from the server... in actuality, i can
 envision the following...
 
 
 
 master server      <----> customer client
 /          \
 /            \
 biz server <---> customer browser
 
 the customer and the biz server talk to each other
 the customer client and master server talk to each other
 the customer client and browser are on the same machine
 
 the idea would be for the client app to be abel to 'get/see' the url that
 the biz server app is sending for return requests. the client app would then
 go back to the master server to 'determine' if the url/ip address is corect
 for the given site. this can be accomplished fairly quickly by polling
 random dns servers at the master level.
 
 if the majority of the polled dns servers return the same address as the one
 from the biz server, we can assume that the biz server is giving the correct
 url/ip addresses.. this could be done for every request.
 
 this kind of approach would be pretty difficult to corrupt, unless the
 client app where somehow mangled/forged. you could determine if the client
 was ever screwed with by using an SMS type of system via the cell phone...
 
 -bruce
 
 
 
 -----Original Message-----
 From: tg-php@gryffyndevelopment.com
 [mailto:tg-php@gryffyndevelopment.com]
 Sent: Monday, November 21, 2005 8:34 PM
 To: bedouglas@earthlink.net
 Subject: RE: [PHP] security question... "man in the middle attacks"
 
 
 'man in the middle' relates to any interception/redirection and I see I was
 looking at it more as a hacker posing as the user interacting with a
 legitmate site rather than the user interacting with a bogus site.   Two
 sides to a similar coin.
 
 
 real site <----> bogus user - bogus site <-----> real user
 
 
 the session ID issue I was talking about helps prevent a bogus user from
 posing as a legitimate one because only the real-site and the real-user
 should know the session ID being used but then again, it could be
 intercepted.  I think there's more to it than I'm explaining, but it's not
 coming to me right now.  My apologies for not being more specific.
 
 Definitely check out Chris Shiflett's site: http://shiflett.org/ (I got
 un-lazy for a moment to look it up).. he might have something in there
 somewhere.
 
 I think what you're talking about is going to be kind of tricky because more
 so than other security issues, this issue seems more susceptible to
 measure/countermeasure type things.   You could use a secure connection, but
 what happens if the hacker gets a certificate for their bogus site?  What
 happens if they mask the URL so it appears to be coming from the legitmate
 site?
 
 I'm wondering how often the scenario you're talking about will come into
 play though.  Seems that unless someone hacks your site and puts in some
 bogus URLs that drag your legit users away from your legit site, the only
 way someone's going to get lured into this situation is if someone is
 posting bogus URLs somewhere else.. like on online forums or something
 saying "Come see Bruce's website!" and going to a totally different URL
 posing as yours.  In which case you can really only rely on your user's
 intelligence to NOT fall for it.
 
 Anyway, just some things to ponder while you find a "real" answer. :)  I
 have some experience with security issues, but wouldn't necessarily call
 myself an 'expert'.  Working on it though.
 
 -TG
 
 = = = Original message = = =
 
 i'm not sure i see how this would affect a man in the middle attack...
 
 a man in the middle attack, for the purpose of this thread is the insertion
 of a clone/fake web app between the user's browaser and the original web
 site...
 
 i'm looking for ways/solutions that will prevent a fake/clone site from
 redirecting the user, or intercepting the user/initial site traffic...
 
 original              fake                 user
 site   <------->    site   <--------->  browser
 
 in this case a fake site could look like the original site, intercepting the
 communication between the original/user. how can it be detected, can it
 really be prevented?
 
 as far as i can tell, what ever the original might send to the user's
 browser, can simply be intercepted by the fake site, and in turn sent to the
 user, where the response from the user can be sent/spoofed to the
 original...
 
 so, if you're a security guru, or really understand the nuances here.. let's
 here your information.
 
 thanks
 
 -bruce
 
 
 
 -----Original Message-----
 From: tg-php@gryffyndevelopment.com
 [mailto:tg-php@gryffyndevelopment.com]
 Sent: Monday, November 21, 2005 2:02 PM
 To: bedouglas@earthlink.net
 Subject: Re: [PHP] security question... "man in the middle attacks"
 
 
 You'll probably get some good responses, especially if Chris Schifflet (sp?)
 pipes up.  But one technique I've seen to prevent man in the middle type
 attacks is to make copious use of session ID's.  That is, a session, when
 it's created, generates a unique ID.  When this ID is created, a lot of
 systems will store a copy in a database then periodically query the user to
 see what session ID they have and compare the two.   There may be ways to
 still intercept this or forge the session ID, but it's a start.   Just
 thought I'd mention it in case it helps your web searches at all.
 
 I look forward to hearing the responses your quest generates. Thanks for
 posting!
 
 -TG
 
 = = = Original message = = =
 
 hey...
 
 anybody here have a serious background in security, or with 'man in the
 middle attacks'???
 
 in particular, i'm trying to get my hands around ways of preventing a
 server/browser app to be susceptible to a 'man in the middle attack'
 
 serious pointers would be helpful. searching across google hasn't turned up
 any examples of how this can be accomplished...
 
 thanks
 
 -bruce
 bedouglas@earthlink.net
 
 
 ___________________________________________________________
 Sent by ePrompter, the premier email notification software.
 Free download at http://www.ePrompter.com.
  Navigation: [Reply to this message] |