Comments on: Recent Haxdoor Distribution Breaks SSL via Pharming http://www.mal-aware.org/2006/02/14/recent-haxdoor-distribution-breaks-ssl-via-pharming/ Malicious Activity Awareness and Response Thu, 20 Nov 2008 17:55:32 +0000 http://wordpress.org/?v=2.5 By: Lance James http://www.mal-aware.org/2006/02/14/recent-haxdoor-distribution-breaks-ssl-via-pharming/#comment-10 Lance James Sun, 19 Feb 2006 18:27:48 +0000 http://www.mal-aware.org/2006/02/14/recent-haxdoor-distribution-breaks-ssl-via-pharming/#comment-10 I liked the explanation Robert, but there is something that you're under-playing here. The web browser is supposed to do it's job. The issue isn't that there is a trojan that can hook into IE and grab all traffic before it's encrypted, the issue is that it performed a successful man-in-the-middle by using a mixed-certificate technique to bypass the "EDUCATION" of SSL and the authentication. An example of this is here: http://ip.securescience.net/exploits/ssl_mix.html This demonstrates 4 frames 2 of which are SSL protected, and 2 which are not. No matter what browser we demonstrate this from, there are no warnings, pop-ups, or anything about non-secure pages, secure pages, and as we all know there is no Lock at the bottom. If you reverse the roll: https://slam.securescience.com/threats/mixed.html We see my Cert (which shouldn't alert, some browsers in mozilla still don't like Thawte), and we also have two frames with two separate SSL certs on the page. No warnings, and the SSL lock states that it's what the domain has. This is a problem with cross-user attacks as well as Trojans that Pharm because they easily fake "authentication" which is the intent of SSL for the home user, to authenticate the site and make sure they are there. The education around this for pharming is to use SSL to verify you are at the site. Well - in this report, this proves that not all cases will work. I liked the explanation Robert, but there is something that you’re under-playing here. The web browser is supposed to do it’s job. The issue isn’t that there is a trojan that can hook into IE and grab all traffic before it’s encrypted, the issue is that it performed a successful man-in-the-middle by using a mixed-certificate technique to bypass the “EDUCATION” of SSL and the authentication. An example of this is here:

http://ip.securescience.net/exploits/ssl_mix.html

This demonstrates 4 frames 2 of which are SSL protected, and 2 which are not. No matter what browser we demonstrate this from, there are no warnings, pop-ups, or anything about non-secure pages, secure pages, and as we all know there is no Lock at the bottom. If you reverse the roll:

https://slam.securescience.com/threats/mixed.html

We see my Cert (which shouldn’t alert, some browsers in mozilla still don’t like Thawte), and we also have two frames with two separate SSL certs on the page. No warnings, and the SSL lock states that it’s what the domain has. This is a problem with cross-user attacks as well as Trojans that Pharm because they easily fake “authentication” which is the intent of SSL for the home user, to authenticate the site and make sure they are there. The education around this for pharming is to use SSL to verify you are at the site. Well - in this report, this proves that not all cases will work.

]]> By: Someone Else http://www.mal-aware.org/2006/02/14/recent-haxdoor-distribution-breaks-ssl-via-pharming/#comment-9 Someone Else Sun, 19 Feb 2006 15:43:26 +0000 http://www.mal-aware.org/2006/02/14/recent-haxdoor-distribution-breaks-ssl-via-pharming/#comment-9 <strong>Have hackers "Broke" SSL?...</strong> Seems that there has been some rumbling that SSL encryption has been broken recently, which is quite...... Have hackers "Broke" SSL?…

Seems that there has been some rumbling that SSL encryption has been broken recently, which is quite……

]]>