ARP-spoofing defense

Topher Fischer javert42 at
Wed Mar 14 11:16:16 MDT 2007

Michael L Torrie wrote:
> On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote:
>> This is an optimization.  Your host does this with the idea that if you do 
>> decide to talk to one of these machines from which it has already seen ARP 
>> traffic, it can skip that step.
>> As for man-in-the middle, playing with ARP can cause disruption of services, 
>> and could intercept insecure protocols.  Which is why for critical data, ssl 
>> or other secure mechanism should be used.
> Additionally this is why SSL uses certificates that should be verified
> to prove that the host is who it says it is. Also ssh key fingerprints
> should always be verified.  How often do we ssh into a box and just
> automatically type "yes" to the fingerprint authorization?
> Michael
The point of my project is to show that in many cases, SSL will not
protect you, because it's enabled to late in the game.  Many web sites
present their login forms over an insecure connection, and then use SSL
to process the form.  For my project, I wrote a simple proof-of-concept
program that (once I have a man-in-the-middle attack going by way of
ARP-spoofing), watches for the victim to request a certain page (in this
case, the BYU home page), and then my program serves up an altered
version.  If the client uses the altered login form, their username and
password are sent in the clear, and picked up by my program.

Since I've started working on this, I haven't used a login form that
wasn't given to me over SSL.  Luckily, everything I use has some sort of
secure login form somewhere on their site.  I've tried to find one for
Zion's bank, and haven't been able to.  Fortunately, I don't bank with them.

Topher Fischer
GnuPG Fingerprint: 3597 1B8D C7A5 C5AF 2E19  EFF5 2FC3 BE99 D123 6674
javert42 at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 251 bytes
Desc: OpenPGP digital signature
Url : 

More information about the PLUG mailing list