[lug] How do you keep your passwords safe while Paying bills and Day Trading at Work?

Zan Lynx zlynx at acm.org
Tue Oct 7 17:03:42 MDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ben wrote:
> 
>> At the company I work at the administrators have remote access to all
>> the company computers. They could easily control where the browser
>> looked for the signed key for an SSL certificate then launch a man in
>> the middle attack. Or at least in theory this could happen.
>>   
> Maybe I'm wrong, but my understanding is that the point of https / SSL
> is stop this (man-in-the-middle, DNS hi-jacking, etc) from being
> possible. Assuming your browser isn't compromised, when you go to
> https://mysecurebank.com the browser sees that its SSL certificate was
> signed by Verisign (or whomever). Verisign's public key is hard coded
> into the browser and the browser goes to Verisign to make sure the SSL
> certificate is legit. If the DNS is hacked (or router rerouting
> traffic), the attacker cannot successfully impersonate Verisign because
> he doesn't have Verisign's private key. And he cannot impersonate
> mysecurebank.com because he doesn't have its private key and if he uses
> another public / private key combination, it won't be signed by
> Verisign, so we will know that the certificate isn't right.
> 
> Am I missing something? My understanding is that as long as the machine
> you are using isn't compromised, and the server you are connected to
> isn't hacked and it is using a certificate signed by a legit 3rd party,
> there is  no need to worry about what's in between when using https.

It's pretty easy, really.

First, create your own top-level SSL signing certificate.  You can name
it anything you like, including Verisign if you like to be sneaky.

Next, place the public half of this certificate in the trusted
certificate store of all the client systems.

On the gateway firewall or just before it, place a firewall redirect
rule for HTTPS port 443 to a local intercept proxy.

Program the proxy to:
 Receive the HTTPS request
 Retrieve the actual site certificate and cloning its data fields
 Dynamically generate a SSL certificate for the requested site
 Use the now trusted top-level signing certificate to sign the new site
certificate.
 Proceed with the man in the middle proxy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjr6s0ACgkQolqWs/Y4NLyYkgCgoDIIytsuJ4KgpgKnNbyNDC+u
ry4An3wYnpSHglXaUeuMGjVznxpTqgst
=YXcv
-----END PGP SIGNATURE-----

More information about the LUG mailing list