|
Posted by "bruce" on 11/22/05 08:58
your questions are on point...
if you're going to really talk about doing transactions... it appears to me
that you really need to solve this. www.passmarksecurity.com claims to have
solved this.. although i'm not sure i agree with them.. for one, i can't
find a thorough independent analysis, for two, from what i can tell... they
rely on the server app getting information from the browser. their approach
appears to depend on their belief that the intermediary (fake) app can't be
in the middle, therefore they'll only get valid information from the 'real'
browser...
as far as i can tell, their solution is to look at certain information (mac
address/headers/etc...) that they're inclined to believe can't be
altered/spoofed. i'm not buying it!!!!
as far as i can tell... you essentially need multiple information streams on
the client(browser) machine coming from the server... in actuality, i can
envision the following...
master server <----> customer client
/ \
/ \
biz server <---> customer browser
the customer and the biz server talk to each other
the customer client and master server talk to each other
the customer client and browser are on the same machine
the idea would be for the client app to be abel to 'get/see' the url that
the biz server app is sending for return requests. the client app would then
go back to the master server to 'determine' if the url/ip address is corect
for the given site. this can be accomplished fairly quickly by polling
random dns servers at the master level.
if the majority of the polled dns servers return the same address as the one
from the biz server, we can assume that the biz server is giving the correct
url/ip addresses.. this could be done for every request.
this kind of approach would be pretty difficult to corrupt, unless the
client app where somehow mangled/forged. you could determine if the client
was ever screwed with by using an SMS type of system via the cell phone...
-bruce
-----Original Message-----
From: tg-php@gryffyndevelopment.com
[mailto:tg-php@gryffyndevelopment.com]
Sent: Monday, November 21, 2005 8:34 PM
To: bedouglas@earthlink.net
Subject: RE: [PHP] security question... "man in the middle attacks"
'man in the middle' relates to any interception/redirection and I see I was
looking at it more as a hacker posing as the user interacting with a
legitmate site rather than the user interacting with a bogus site. Two
sides to a similar coin.
real site <----> bogus user - bogus site <-----> real user
the session ID issue I was talking about helps prevent a bogus user from
posing as a legitimate one because only the real-site and the real-user
should know the session ID being used but then again, it could be
intercepted. I think there's more to it than I'm explaining, but it's not
coming to me right now. My apologies for not being more specific.
Definitely check out Chris Shiflett's site: http://shiflett.org/ (I got
un-lazy for a moment to look it up).. he might have something in there
somewhere.
I think what you're talking about is going to be kind of tricky because more
so than other security issues, this issue seems more susceptible to
measure/countermeasure type things. You could use a secure connection, but
what happens if the hacker gets a certificate for their bogus site? What
happens if they mask the URL so it appears to be coming from the legitmate
site?
I'm wondering how often the scenario you're talking about will come into
play though. Seems that unless someone hacks your site and puts in some
bogus URLs that drag your legit users away from your legit site, the only
way someone's going to get lured into this situation is if someone is
posting bogus URLs somewhere else.. like on online forums or something
saying "Come see Bruce's website!" and going to a totally different URL
posing as yours. In which case you can really only rely on your user's
intelligence to NOT fall for it.
Anyway, just some things to ponder while you find a "real" answer. :) I
have some experience with security issues, but wouldn't necessarily call
myself an 'expert'. Working on it though.
-TG
= = = Original message = = =
i'm not sure i see how this would affect a man in the middle attack...
a man in the middle attack, for the purpose of this thread is the insertion
of a clone/fake web app between the user's browaser and the original web
site...
i'm looking for ways/solutions that will prevent a fake/clone site from
redirecting the user, or intercepting the user/initial site traffic...
original fake user
site <-------> site <---------> browser
in this case a fake site could look like the original site, intercepting the
communication between the original/user. how can it be detected, can it
really be prevented?
as far as i can tell, what ever the original might send to the user's
browser, can simply be intercepted by the fake site, and in turn sent to the
user, where the response from the user can be sent/spoofed to the
original...
so, if you're a security guru, or really understand the nuances here.. let's
here your information.
thanks
-bruce
-----Original Message-----
From: tg-php@gryffyndevelopment.com
[mailto:tg-php@gryffyndevelopment.com]
Sent: Monday, November 21, 2005 2:02 PM
To: bedouglas@earthlink.net
Subject: Re: [PHP] security question... "man in the middle attacks"
You'll probably get some good responses, especially if Chris Schifflet (sp?)
pipes up. But one technique I've seen to prevent man in the middle type
attacks is to make copious use of session ID's. That is, a session, when
it's created, generates a unique ID. When this ID is created, a lot of
systems will store a copy in a database then periodically query the user to
see what session ID they have and compare the two. There may be ways to
still intercept this or forge the session ID, but it's a start. Just
thought I'd mention it in case it helps your web searches at all.
I look forward to hearing the responses your quest generates. Thanks for
posting!
-TG
= = = Original message = = =
hey...
anybody here have a serious background in security, or with 'man in the
middle attacks'???
in particular, i'm trying to get my hands around ways of preventing a
server/browser app to be susceptible to a 'man in the middle attack'
serious pointers would be helpful. searching across google hasn't turned up
any examples of how this can be accomplished...
thanks
-bruce
bedouglas@earthlink.net
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
[Back to original message]
|