PDA

View Full Version : Phorm, mitm, and https



bealoid
02-23-08, 08:34 AM
{x-posted to alt.privacy and alt.computer.security}

A number of UK ISPs have signed up for Phorm. This is, IMO, pretty bad.

Phorm say that they ignore anything going over https. For the purposes of
this thread, image a rogue, black-hat, Phorm.[1] Or even a rogue, black-
hat, ISP.

Ann, at her pc, logs into her internet "bob's Bank" bank account.

What are the steps involved between Ann's browser and the Bob's web page?

Is there anyway for EvePhorm to mount a serios mitm attack?

Is there anyway for EveBlackHatISP to mount a serious mitm attack?

I'm only really interested in attacks that allow Eves to either see the
financial data, or worse. I'd be interested to know what kind of mild data
leaks would be available.

Many thanks for any replies.

nemo_outis
02-23-08, 10:02 AM
bealoid <signup@bealoid.co.uk> wrote in
news:Xns9A4D94296AC6FYAsfKJXSTO@194.117.143.37:

You need to read up on SSL.

Simplifying a bit, as long as:

1) the bank (or other destination site) has properly implemented its pages
(doesn't mix http & https, doesn't switch away, etc.), and
2) you actually *check* its SSL certificate to make sure it's for whomever
you're trying to connect to,

you're bombproof.

Regards,

PS This assumes, of course, that your computer is not infested with
spyware, Trojans, and the like and that you practice safe computing by
securing your browser, flushing caches and cookies, etc. or even signing
off after a secure session. In short, SSL protects communications in
transit, it doesn't protect against compromise (and stupid mistakes) at
either end point, especially by a user unreflectively clicking on stuff he
shouldn't (slightly misspelled URLs, etc.).

bealoid
02-23-08, 10:07 AM
"nemo_outis" <abc@xyz.com> wrote in
news:Xns9A4D5BFC23FD9pqwertyu@64.59.135.159:

> bealoid <signup@bealoid.co.uk> wrote in
> news:Xns9A4D94296AC6FYAsfKJXSTO@194.117.143.37:
>
> You need to read up on SSL.

I know! I've got the RFCs and such now.
>
> Simplifying a bit, as long as:
>
> 1) the bank (or other destination site) has properly implemented its
> pages (doesn't mix http & https, doesn't switch away, etc.), and
> 2) you actually *check* its SSL certificate to make sure it's for
> whomever you're trying to connect to,
>
> you're bombproof.

I really thought this was the case. I'm having a gentle argument in a
virginmedia supprt newsgroup.

>
> Regards,
>
> PS This assumes, of course, that your computer is not infested with
> spyware, Trojans, and the like and that you practice safe computing by
> securing your browser, flushing caches and cookies, etc. or even
> signing off after a secure session. In short, SSL protects
> communications in transit, it doesn't protect against compromise (and
> stupid mistakes) at either end point, especially by a user
> unreflectively clicking on stuff he shouldn't (slightly misspelled
> URLs, etc.).

Well, yes. The number of machines that get trojaned by users clicking
the "yes, please instal malware" buttons isn't re-assuring. :-(

Sebastian G.
02-24-08, 02:10 PM
ugh wrote:

> 128k SSL


128k? Don't you mean 128 bit?

> http://au.answers.yahoo.com/answers2/frontend.php/question?qid=1006041124032


Some illiterates talking about things they don't know and don't understand.

> http://www.marktaw.com/technology/HowlongdoesittaketocrackS.html

That's obviously a 40 bit key, dude!

Anonymous
02-24-08, 04:13 PM
ugh wrote:

> 128k SSL is crackable, with considerable time and effort.

Please... get your information about cryptanalysis from some source
other than random clueless rubes posting to some Yayhoo forum and/or
learn to read for comprehension.

First of all it's "bits", not "k".

Second of all, if you combined the computing power of every digital
device on the face of the planet and directed that effort toward
cracking a single 128 bit SSL session it would take you significantly
longer than the Earth has existed to crack it, and generate enough heat
to vaporize this corner of the Galaxy in the process.

The mathematics behind that is undeniable. Modern strong encryption is
virtually uncrackable. Period. If any weaknesses exist they're going to
be in the implementation, not the crypto itself.

nemo_outis
02-24-08, 05:10 PM
"Sebastian G." <seppi@seppig.de> wrote in
news:62e19eF22mtvsU1@mid.dfncis.de:

> ugh wrote:
>
>> 128k SSL
>
>
> 128k? Don't you mean 128 bit?
>
>> http://au.answers.yahoo.com/answers2/frontend.php/question?qid=1006041
>> 124032
>
>
> Some illiterates talking about things they don't know and don't
> understand.
>
>> http://www.marktaw.com/technology/HowlongdoesittaketocrackS.html
>
> That's obviously a 40 bit key, dude!
>

Exactly right, Sebastian!

Regards,

ugh
02-24-08, 08:52 PM
128k SSL is crackable, with considerable time and effort.

http://au.answers.yahoo.com/answers2/frontend.php/question?qid=1006041124032

http://www.marktaw.com/technology/HowlongdoesittaketocrackS.html

Ari
02-24-08, 10:58 PM
On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:

> 128k SSL is crackable, with considerable time and effort.

I should say lol
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

Ertugrul =?UTF-8?B?U8O2eWxlbWV6?=
02-25-08, 03:50 AM
On Sun, 24 Feb 2008 23:13:56 +0100 (CET)
Anonymous <cripto@ecn.org> wrote:

> The mathematics behind that is undeniable. Modern strong encryption is
> virtually uncrackable. Period. If any weaknesses exist they're going
> to be in the implementation, not the crypto itself.

Unfortunately this is very inaccurate. The mathematics are deniable,
because there are no security proofs. There is strong evidence towards
good security, but nothing is proven here. So currently, we can only
assume security, not take it for granted.


Regards,
Ertugrul.


--
http://ertes.de/

bealoid
02-25-08, 02:31 PM
Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@ertes.de> wrote in news:fpu314$9u4$02
$1@news.t-online.com:

> On Sun, 24 Feb 2008 23:13:56 +0100 (CET)
> Anonymous <cripto@ecn.org> wrote:
>
>> The mathematics behind that is undeniable. Modern strong encryption is
>> virtually uncrackable. Period. If any weaknesses exist they're going
>> to be in the implementation, not the crypto itself.
>
> Unfortunately this is very inaccurate. The mathematics are deniable,
> because there are no security proofs. There is strong evidence towards
> good security, but nothing is proven here. So currently, we can only
> assume security, not take it for granted.

I agree, but the evidence is very strong for some versions algorithms, no?

And, until someone does factorisation, cracking an encrypted message is
almost always going to rely on the implementation of the algorithm in
software, the deployment of software on the machine, human weaknesses in
picking good passwords etc.

nemo_outis
02-25-08, 05:07 PM
Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@ertes.de> wrote in news:fpu314$9u4$02
$1@news.t-online.com:

> Unfortunately this is very inaccurate. The mathematics are deniable,
> because there are no security proofs. There is strong evidence towards
> good security, but nothing is proven here. So currently, we can only
> assume security, not take it for granted.

Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
strong, as when you find a trout in the milk."

Regards,

No One
02-25-08, 05:29 PM
Ari wrote:
> On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:
>
>> 128k SSL is crackable, with considerable time and effort.
>
> I should say lol

Instead of that, why don't you tell us where you claim you work as the
employer? That way you can clear up this 'misunderstanding', by proving
yourself as being truthful when you say you are an *employer*, and you
can prove me wrong when I say you're not. And, you can accomplish both
of these objectives at the same time. There's no reason why you
shouldn't take this opportunity.

Don't you see? By saying you are somebody that you're not, it's like
you're taking on another identity. And that makes you no better than us
anonymous posters that you obviously have a vendetta against.

That makes you a true hypocrite.

You can run, but you cannot hide.

Ari
02-27-08, 05:28 AM
On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:

> Instead of that, why don't you tell us where you claim you work as the
> employer? That way you can clear up this 'misunderstanding', by proving
> yourself as being truthful when you say you are an *employer*, and you
> can prove me wrong when I say you're not. And, you can accomplish both
> of these objectives at the same time. There's no reason why you
> shouldn't take this opportunity.
>
> Don't you see? By saying you are somebody that you're not, it's like
> you're taking on another identity. And that makes you no better than us
> anonymous posters that you obviously have a vendetta against.
>
> That makes you a true hypocrite.
>
> You can run, but you cannot hide.

Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
strong, as when you find a trout in the milk."

Regards,

--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

No One
02-27-08, 08:24 AM
Ari wrote:
> On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:
>
>> Instead of that, why don't you tell us where you claim you work as the
>> employer? That way you can clear up this 'misunderstanding', by proving
>> yourself as being truthful when you say you are an *employer*, and you
>> can prove me wrong when I say you're not. And, you can accomplish both
>> of these objectives at the same time. There's no reason why you
>> shouldn't take this opportunity.
>>
>> Don't you see? By saying you are somebody that you're not, it's like
>> you're taking on another identity. And that makes you no better than us
>> anonymous posters that you obviously have a vendetta against.
>>
>> That makes you a true hypocrite.
>>
>> You can run, but you cannot hide.
>
> Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
> strong, as when you find a trout in the milk."
>
> Regards,
>

And now you're plagiarizing nemo_outis.

You're like a panhandling derelict bum without any dignity or
self-respect whatsoever.

But, on the flip-side, now I know that I've been right in my estimation
concerning you. You just handed me the confirmation.

Something else I know, that maybe you don't: you will only get worse.

Anonymous
02-27-08, 11:08 AM
Ari wrote:

> On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:
>
> > Instead of that, why don't you tell us where you claim you work as the
> > employer? That way you can clear up this 'misunderstanding', by proving
> > yourself as being truthful when you say you are an *employer*, and you
> > can prove me wrong when I say you're not. And, you can accomplish both
> > of these objectives at the same time. There's no reason why you
> > shouldn't take this opportunity.
> >
> > Don't you see? By saying you are somebody that you're not, it's like
> > you're taking on another identity. And that makes you no better than us
> > anonymous posters that you obviously have a vendetta against.
> >
> > That makes you a true hypocrite.
> >
> > You can run, but you cannot hide.
>
> Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
> strong, as when you find a trout in the milk."


I'm sorry, what was the name of the company where you're an "employer"
again? I certainly must have missed it, as you would never post
unsubstantiated claims to Usenet. Would you?

Ari
02-28-08, 07:04 AM
On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:

> Ari wrote:
>> On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:
>>
>>> 128k SSL is crackable, with considerable time and effort.
>>
>> I should say lol
>
> Instead of that, why don't you tell us where you claim you work as the
> employer? That way you can clear up this 'misunderstanding', by proving
> yourself as being truthful when you say you are an *employer*, and you
> can prove me wrong when I say you're not. And, you can accomplish both
> of these objectives at the same time. There's no reason why you
> shouldn't take this opportunity.
>
> Don't you see? By saying you are somebody that you're not, it's like
> you're taking on another identity. And that makes you no better than us
> anonymous posters that you obviously have a vendetta against.
>
> That makes you a true hypocrite.
>
> You can run, but you cannot hide.

An old fish once said: "Anonymouse morons speak with forked brains, be thee
not afraid of one who shakes in the shadows jacking off their pee-pee.
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

Ari
02-28-08, 07:07 AM
On Wed, 27 Feb 2008 09:24:16 -0500, No One wrote:

>>> Don't you see? By saying you are somebody that you're not, it's like
>>> you're taking on another identity. And that makes you no better than us
>>> anonymous posters that you obviously have a vendetta against.
>>>
>>> That makes you a true hypocrite.
>>>
>>> You can run, but you cannot hide.
>>
>> Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
>> strong, as when you find a trout in the milk."
>>
>> Regards,
>>
>
> And now you're plagiarizing nemo_outis.

Sherlock Holmes once said: "Reading is not brilliance although those who
are faceless may believe themselves so"
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

Ari
02-28-08, 07:08 AM
On Wed, 27 Feb 2008 12:08:38 -0500 (EST), Anonymous wrote:

>>> Don't you see? By saying you are somebody that you're not, it's like
>>> you're taking on another identity. And that makes you no better than us
>>> anonymous posters that you obviously have a vendetta against.
>>>
>>> That makes you a true hypocrite.
>>>
>>> You can run, but you cannot hide.
>>
>> Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
>> strong, as when you find a trout in the milk."
>
> I'm sorry, what was the name of the company where you're an "employer"
> again? I certainly must have missed it, as you would never post
> unsubstantiated claims to Usenet. Would you?

As an old sage once told me, "Answer not what is archived especially to the
Nameless Ones."
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

Jim Watt
02-28-08, 09:44 AM
On Thu, 28 Feb 2008 08:04:52 -0500, Ari <arisilverstein@yahoo.com>
wrote:

<snip>

Add to your list of quotes:

Don't spam newsgroups or people will know you are a tosser.
--
Jim Watt
http://www.gibnet.com

No One
02-28-08, 10:23 AM
Ari wrote:
> On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:
>
>> Ari wrote:
>>> On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:
>>>
>>>> 128k SSL is crackable, with considerable time and effort.
>>> I should say lol
>> Instead of that, why don't you tell us where you claim you work as the
>> employer? That way you can clear up this 'misunderstanding', by proving
>> yourself as being truthful when you say you are an *employer*, and you
>> can prove me wrong when I say you're not. And, you can accomplish both
>> of these objectives at the same time. There's no reason why you
>> shouldn't take this opportunity.
>>
>> Don't you see? By saying you are somebody that you're not, it's like
>> you're taking on another identity. And that makes you no better than us
>> anonymous posters that you obviously have a vendetta against.
>>
>> That makes you a true hypocrite.
>>
>> You can run, but you cannot hide.
>
> An old fish once said: "Anonymouse morons speak with forked brains, be thee
> not afraid of one who shakes in the shadows jacking off their pee-pee.

It's reassuring to see that you had to return and respond to my post a
second time.

That tells me you must have been struggling with the torment it was
causing you.

If you just tell us the *name* of the company where you are an employer,
as you claim, then all of this mental anguish will suddenly disappear.

You don't like being anonymous, do you? Then take this opportunity to
become non-anonymous. Otherwise, you will remain anonymous forever.
Everybody will know that you're not who you say you are.

No One
02-28-08, 10:23 AM
Ari wrote:
> On Wed, 27 Feb 2008 09:24:16 -0500, No One wrote:
>
>>>> Don't you see? By saying you are somebody that you're not, it's like
>>>> you're taking on another identity. And that makes you no better than us
>>>> anonymous posters that you obviously have a vendetta against.
>>>>
>>>> That makes you a true hypocrite.
>>>>
>>>> You can run, but you cannot hide.
>>> Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
>>> strong, as when you find a trout in the milk."
>>>
>>> Regards,
>>>
>> And now you're plagiarizing nemo_outis.
>
> Sherlock Holmes once said: "Reading is not brilliance although those who
> are faceless may believe themselves so"

Maybe you'd care to name for me the Sherlock Holmes volume that
quotation is from. I thought I had read them all, but I don't recall
ever seeing that in any of them.

And I wonder why you left out a majority of my post.

I guess it must have been the part that disturbs you the most:

"You're like a panhandling derelict bum without any dignity or
self-respect whatsoever.

But, on the flip-side, now I know that I've been right in my estimation
concerning you.
You just handed me the confirmation.

Something else I know, that maybe you don't: you will only get worse."

Yes, I see why that would be a definite cause of perturbation to you.

In fact, I can see you getting worse even now, O Faceless One.

Q.E.D.

Cyberiade.it Anonymous Remailer
02-28-08, 02:59 PM
Ari wrote:

> > I'm sorry, what was the name of the company where you're an "employer"
> > again? I certainly must have missed it, as you would never post
> > unsubstantiated claims to Usenet. Would you?
>
> As an old sage once told me, "Answer not what is archived especially to the
> Nameless Ones."

What irony, coming from the same coward who also just posted this bit
of self serving horse flop...

"Why not? What's your problem with full accountability?"

Seems the tilt of your pointy head depends on which **** you're sucking
at any particular moment in time Ari.

Ari
02-29-08, 12:12 PM
On Thu, 28 Feb 2008 16:44:45 +0100, Jim Watt wrote:

> On Thu, 28 Feb 2008 08:04:52 -0500, Ari <arisilverstein@yahoo.com>
> wrote:
>
> <snip>
>
> Add to your list of quotes:
>
> Don't spam newsgroups or people will know you are a tosser.
> --
> Jim Watt
> http://www.gibnet.com

Elucidate me, Watt. lol
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

Ari
02-29-08, 12:14 PM
On Thu, 28 Feb 2008 11:23:04 -0500, No One wrote:

>>> Don't you see? By saying you are somebody that you're not, it's like
>>> you're taking on another identity. And that makes you no better than us
>>> anonymous posters that you obviously have a vendetta against.
>>>
>>> That makes you a true hypocrite.
>>>
>>> You can run, but you cannot hide.
>>
>> An old fish once said: "Anonymouse morons speak with forked brains, be thee
>> not afraid of one who shakes in the shadows jacking off their pee-pee.
>
> It's reassuring to see that you had to return and respond to my post a
> second time.

A fat owl once hooted: " Anonymouses make good eating but as posters, their
stupider than bluebird ****."
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

No One
02-29-08, 03:01 PM
The Faceless One muttereth:
> On Thu, 28 Feb 2008 11:23:04 -0500, No One wrote:
>
>>>> Don't you see? By saying you are somebody that you're not, it's like
>>>> you're taking on another identity. And that makes you no better than us
>>>> anonymous posters that you obviously have a vendetta against.
>>>>
>>>> That makes you a true hypocrite.
>>>>
>>>> You can run, but you cannot hide.
>>> An old fish once said: "Anonymouse morons speak with forked brains, be thee
>>> not afraid of one who shakes in the shadows jacking off their pee-pee.
>> It's reassuring to see that you had to return and respond to my post a
>> second time.
>
> A fat owl once hooted: " Anonymouses make good eating but as posters, their
> stupider than bluebird ****."

One can only feel sympathy for someone like yourself.

Unable to spell simple contracted words.
Unskilled and inept at holding coherent discourse.
Exhibiting behavior one would expect from a four year-old.

And, you will only get worse.

Ari
03-01-08, 01:55 AM
On Fri, 29 Feb 2008 16:01:14 -0500, No One wrote:

>>>>> You can run, but you cannot hide.
>>>> An old fish once said: "Anonymouse morons speak with forked brains, be thee
>>>> not afraid of one who shakes in the shadows jacking off their pee-pee.
>>> It's reassuring to see that you had to return and respond to my post a
>>> second time.
>>
>> A fat owl once hooted: " Anonymouses make good eating but as posters, their
>> stupider than bluebird ****."
>
> One can only feel sympathy for someone like yourself.

The fallen pomegranate of Hera sputed: "When No One attempts to become One,
No One is actually all he will ever be.
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19

No One
03-01-08, 02:44 AM
Ari wrote:
> On Fri, 29 Feb 2008 16:01:14 -0500, No One wrote:
>
>>>>>> You can run, but you cannot hide.
>>>>> An old fish once said: "Anonymouse morons speak with forked brains, be thee
>>>>> not afraid of one who shakes in the shadows jacking off their pee-pee.
>>>> It's reassuring to see that you had to return and respond to my post a
>>>> second time.
>>> A fat owl once hooted: " Anonymouses make good eating but as posters, their
>>> stupider than bluebird ****."
>> One can only feel sympathy for someone like yourself.
>
> The fallen pomegranate of Hera sputed: "When No One attempts to become One,
> No One is actually all he will ever be.

Why are you not able to tell us the *name* of the business where you claim
to be an *employer*?

Maybe you could tell us the *number* of people that are now employed there,
and the name of the *city* or *town* where that particular place of business
is located.

Surely that would not be asking too much from Your Faceless One, would it?

Anonymous
03-01-08, 08:08 PM
Ari wrote:

> On Thu, 28 Feb 2008 11:23:04 -0500, No One wrote:
>
> >>> Don't you see? By saying you are somebody that you're not, it's like
> >>> you're taking on another identity. And that makes you no better than us
> >>> anonymous posters that you obviously have a vendetta against.
> >>>
> >>> That makes you a true hypocrite.
> >>>
> >>> You can run, but you cannot hide.
> >>
> >> An old fish once said: "Anonymouse morons speak with forked brains, be thee
> >> not afraid of one who shakes in the shadows jacking off their pee-pee.
> >
> > It's reassuring to see that you had to return and respond to my post a
> > second time.
>
> A fat owl once hooted: " Anonymouses make good eating but as posters, their
> stupider than bluebird ****."

Ari's fat momma was heard shouting: "Three holes! No waiting!."

Cyberiade.it Anonymous Remailer
03-01-08, 08:23 PM
Ari wrote:

> On Fri, 29 Feb 2008 16:01:14 -0500, No One wrote:
>
> >>>>> You can run, but you cannot hide.
> >>>> An old fish once said: "Anonymouse morons speak with forked brains, be thee
> >>>> not afraid of one who shakes in the shadows jacking off their pee-pee.
> >>> It's reassuring to see that you had to return and respond to my post a
> >>> second time.
> >>
> >> A fat owl once hooted: " Anonymouses make good eating but as posters, their
> >> stupider than bluebird ****."
> >
> > One can only feel sympathy for someone like yourself.
>
> The fallen pomegranate of Hera sputed: "When No One attempts to become One,
> No One is actually all he will ever be.

Ari's daddy whined: "Oral sex makes my day, but **** sex makes
my hole weak."

Anonymous
03-02-08, 01:31 AM
Ari wrote:

> On Thu, 28 Feb 2008 16:44:45 +0100, Jim Watt wrote:
>
> > On Thu, 28 Feb 2008 08:04:52 -0500, Ari
> > <arisilverstein@yahoo.com> wrote:
> >
> > <snip>
> >
> > Add to your list of quotes:
> >
> > Don't spam newsgroups or people will know you are a tosser.
> > --
> > Jim Watt
> > http://www.gibnet.com
>
> Elucidate me, Watt. lol

No problem.....

You're a lying sack failing miserably at trying to be cute.

You're also an illiterate ****.

Ari
05-11-08, 04:31 AM
On 2 Mar 2008 03:23:51 +0100, Cyberiade.it Anonymous Remailer wrote:

>>>> A fat owl once hooted: " Anonymouses make good eating but as posters, their
>>>> stupider than bluebird ****."
>>>
>>> One can only feel sympathy for someone like yourself.
>>
>> The fallen pomegranate of Hera sputed: "When No One attempts to become One,
>> No One is actually all he will ever be.
>
> Ari's daddy whined: "Oral sex makes my day, but **** sex makes
> my hole weak."

A eunuch trying to jack off said: I feel Anonymouse today.
--
An Explanation Of The Need To Be "Anonymous"
http://www.penny-arcade.com/comic/2004/03/19