ARP-spoofing defense

Corey Edwards tensai at zmonkey.org
Wed Mar 14 11:28:00 MDT 2007


On Wed, 2007-03-14 at 11:22 -0600, Levi Pearson wrote:
> Topher Fischer <javert42 at cs.byu.edu> writes:
> > Since I've started working on this, I haven't used a login form that
> > wasn't given to me over SSL.  Luckily, everything I use has some sort of
> > secure login form somewhere on their site.  I've tried to find one for
> > Zion's bank, and haven't been able to.  Fortunately, I don't bank with them.
> 
> Zion's Bank uses one of those new-fangled multi-step logins.  You
> enter your user id on the front page, and then you are shown a picture
> and asked a question (over a ssl connection) or, if you've previously
> done this step and got a cookie, you're shown a picture and asked to
> enter your password.  Since only the user id is entered into the form
> in the non-ssl page, it should be safe from your particular attack.

It's vulnerable to a non-ssl attack. Swap out the https login URL for
one of your own devising. Then simply proxy all the https info to the
user over your spoofed http connection. It would work against anybody
who doesn't verify the cute little lock icon. Or use a self-signed cert
and hope to catch somebody who would ignore the error, as most people
would.

Corey





More information about the PLUG mailing list