ARP-spoofing defense

Levi Pearson levi at cold.org
Wed Mar 14 11:38:38 MDT 2007


Corey Edwards <tensai at zmonkey.org> writes:
> It's vulnerable to a non-ssl attack. Swap out the https login URL for
> one of your own devising. Then simply proxy all the https info to the
> user over your spoofed http connection. It would work against anybody
> who doesn't verify the cute little lock icon. Or use a self-signed cert
> and hope to catch somebody who would ignore the error, as most people
> would.

I never said it was totally secure, just that it wasn't vulnerable to
the particular attack.  At least your version of an attack has several
(perhaps inconspicuous and oft-ignored) roadblocks that must be
ignored before it works.

                --Levi





More information about the PLUG mailing list