The way it is mentioned, it probably seems to be some kind of transparent
proxy. I would avoid any important HTTPS transaction without making sure you
are really connected to the target server (such as Internet Banking).
Although they may create somehow a transparent proxy to provide you with SSL
content, the x.509 certificate used will not be the same of the desired
Internet Service (check it before executing any further SSL transaction).
Another way to go would be a "clientless" acceleration channel, where you
would be required to download an activeX/Java component so HTTP/HTTPS
connections would go straight forward using their "clientless" solution --
that way, they would be able to provide Ads even for SSL connections.
Thiago Zaninotti,Security+,CISSP-ISSAP,CISM
----- Original Message -----
From: "Jason" <security@brvenik.com>
To: "Saqib Ali" <docbook.xml@gmail.com>
Cc: <varenc@mit.edu>; <webappsec@securityfocus.com>
Sent: Saturday, April 22, 2006 9:56 PM
Subject: Re: OT: Inserting Ads without breaking the SSL
Saqib Ali wrote:
I would not believe it possible as you describe it. Have you seen this
happen?
I have not seen it myself. But I plan to visit Santa Clara and try it
out in next couple of days. But I found their technique to be very
strange, cause they clearly says that NO software installation
required on their website. So I figured it must be some kind of proxy
that modify the HTML pages. But that would certainly break SSL.
It is not difficult to implement a transparent proxy that does this for
regular HTTP traffic leaving the other traffic completely alone. There
are many examples to look at and I suspect this is really just an
extension of captive portals.
I thought other readers of this list may have seen / implemented
something like this. Thus the question.
There have been MITM tools released and they can be effective but
generally rely on the user making a mistake. I would doubt the SSL is
being touched at all.
--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------
-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------
