[lug] How do you keep your passwords safe while Paying bills and Day Trading at Work?

Zan Lynx zlynx at acm.org
Thu Oct 9 15:35:53 MDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

karl horlen wrote:
> your example makes me think!
> 
> in terms of ISPs.  either the one you connect to from home and or the one you colocate a server with on the backend, would this man in the middle attack be easily applicable to other services like ssh, vpn, etc?
> 
> since you have to connect to the internet via your isp.  and since your internet server (if you have one) likely lives behind an isp firewall or router at a facility, it seems likely that (if the isps were willing to spend the time and effort and were dishonest) they could easily setup a proxy to intercept any of these known services to sniff an id / password combo or key long enough, maybe one attempt to get the necessary credentials.  After which they take down the intercept and now have access to a variety of your remote accounts.
> 
> does that sound plausible?  
> 
> it seems the isps are really functioning as your corporate sys admins in the corporate network example below.  the isps control the in / out pipeline to the greater inet and are always accessed on inbound outbound connections to / from a source destination route.  thus it would seem easy for them to track the controlled traffic and spoof exploits.
> 
> am i misguided?  does this seem that easy or is it much more difficult than that? am i really safe doing anything on the internet if i have rogue isps?

In my example (deleted), the part that makes the attack possible is the
access to the client computer.

Your ISP does not have such access to your computer (unless you ran
their installer program on Windows and it had a Trojan).  However,
corporate IT does have access like that to all their business computers.

In summary, no, your ISP cannot do a man in the middle attack on your
SSL secure web sessions.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjueTkACgkQolqWs/Y4NLyuagCfU/bEEeVfFoXnHMpxk0llrTIf
aKEAnjsoVoRjOVLt+QCKzkmjjPp0TRc+
=xSx6
-----END PGP SIGNATURE-----

More information about the LUG mailing list