Page 1 of 2 12 LastLast
Results 1 to 20 of 31

Thread: Phorm, mitm, and https

  1. #1
    bealoid
    Guest

    Phorm, mitm, and https

    {x-posted to alt.privacy and alt.computer.security}

    A number of UK ISPs have signed up for Phorm. This is, IMO, pretty bad.

    Phorm say that they ignore anything going over https. For the purposes of
    this thread, image a rogue, black-hat, Phorm.[1] Or even a rogue, black-
    hat, ISP.

    Ann, at her pc, logs into her internet "bob's Bank" bank account.

    What are the steps involved between Ann's browser and the Bob's web page?

    Is there anyway for EvePhorm to mount a serios mitm attack?

    Is there anyway for EveBlackHatISP to mount a serious mitm attack?

    I'm only really interested in attacks that allow Eves to either see the
    financial data, or worse. I'd be interested to know what kind of mild data
    leaks would be available.

    Many thanks for any replies.

  2. #2
    nemo_outis
    Guest

    Re: Phorm, mitm, and https

    bealoid <signup@bealoid.co.uk> wrote in
    news:Xns9A4D94296AC6FYAsfKJXSTO@194.117.143.37:

    You need to read up on SSL.

    Simplifying a bit, as long as:

    1) the bank (or other destination site) has properly implemented its pages
    (doesn't mix http & https, doesn't switch away, etc.), and
    2) you actually *check* its SSL certificate to make sure it's for whomever
    you're trying to connect to,

    you're bombproof.

    Regards,

    PS This assumes, of course, that your computer is not infested with
    spyware, Trojans, and the like and that you practice safe computing by
    securing your browser, flushing caches and cookies, etc. or even signing
    off after a secure session. In short, SSL protects communications in
    transit, it doesn't protect against compromise (and stupid mistakes) at
    either end point, especially by a user unreflectively clicking on stuff he
    shouldn't (slightly misspelled URLs, etc.).


  3. #3
    bealoid
    Guest

    Re: Phorm, mitm, and https

    "nemo_outis" <abc@xyz.com> wrote in
    news:Xns9A4D5BFC23FD9pqwertyu@64.59.135.159:

    > bealoid <signup@bealoid.co.uk> wrote in
    > news:Xns9A4D94296AC6FYAsfKJXSTO@194.117.143.37:
    >
    > You need to read up on SSL.


    I know! I've got the RFCs and such now.
    >
    > Simplifying a bit, as long as:
    >
    > 1) the bank (or other destination site) has properly implemented its
    > pages (doesn't mix http & https, doesn't switch away, etc.), and
    > 2) you actually *check* its SSL certificate to make sure it's for
    > whomever you're trying to connect to,
    >
    > you're bombproof.


    I really thought this was the case. I'm having a gentle argument in a
    virginmedia supprt newsgroup.

    >
    > Regards,
    >
    > PS This assumes, of course, that your computer is not infested with
    > spyware, Trojans, and the like and that you practice safe computing by
    > securing your browser, flushing caches and cookies, etc. or even
    > signing off after a secure session. In short, SSL protects
    > communications in transit, it doesn't protect against compromise (and
    > stupid mistakes) at either end point, especially by a user
    > unreflectively clicking on stuff he shouldn't (slightly misspelled
    > URLs, etc.).


    Well, yes. The number of machines that get trojaned by users clicking
    the "yes, please instal malware" buttons isn't re-assuring. :-(


  4. #4
    Sebastian G.
    Guest

    Re: Phorm, mitm, and https

    ugh wrote:

    > 128k SSL



    128k? Don't you mean 128 bit?

    > http://au.answers.yahoo.com/answers2...=1006041124032



    Some illiterates talking about things they don't know and don't understand.

    > http://www.marktaw.com/technology/Ho...etocrackS.html


    That's obviously a 40 bit key, dude!

  5. #5
    Anonymous
    Guest

    Re: Phorm, mitm, and https

    ugh wrote:

    > 128k SSL is crackable, with considerable time and effort.


    Please... get your information about cryptanalysis from some source
    other than random clueless rubes posting to some Yayhoo forum and/or
    learn to read for comprehension.

    First of all it's "bits", not "k".

    Second of all, if you combined the computing power of every digital
    device on the face of the planet and directed that effort toward
    cracking a single 128 bit SSL session it would take you significantly
    longer than the Earth has existed to crack it, and generate enough heat
    to vaporize this corner of the Galaxy in the process.

    The mathematics behind that is undeniable. Modern strong encryption is
    virtually uncrackable. Period. If any weaknesses exist they're going to
    be in the implementation, not the crypto itself.


  6. #6
    nemo_outis
    Guest

    Re: Phorm, mitm, and https

    "Sebastian G." <seppi@seppig.de> wrote in
    news:62e19eF22mtvsU1@mid.dfncis.de:

    > ugh wrote:
    >
    >> 128k SSL

    >
    >
    > 128k? Don't you mean 128 bit?
    >
    >> http://au.answers.yahoo.com/answers2...on?qid=1006041
    >> 124032

    >
    >
    > Some illiterates talking about things they don't know and don't
    > understand.
    >
    >> http://www.marktaw.com/technology/Ho...etocrackS.html

    >
    > That's obviously a 40 bit key, dude!
    >


    Exactly right, Sebastian!

    Regards,

  7. #7
    ugh
    Guest

    Re: Phorm, mitm, and https


  8. #8
    Ari
    Guest

    Re: Phorm, mitm, and https

    On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:

    > 128k SSL is crackable, with considerable time and effort.


    I should say lol
    --
    An Explanation Of The Need To Be "Anonymous"
    http://www.penny-arcade.com/comic/2004/03/19

  9. #9
    Ertugrul =?UTF-8?B?U8O2eWxlbWV6?=
    Guest

    Re: Phorm, mitm, and https

    On Sun, 24 Feb 2008 23:13:56 +0100 (CET)
    Anonymous <cripto@ecn.org> wrote:

    > The mathematics behind that is undeniable. Modern strong encryption is
    > virtually uncrackable. Period. If any weaknesses exist they're going
    > to be in the implementation, not the crypto itself.


    Unfortunately this is very inaccurate. The mathematics are deniable,
    because there are no security proofs. There is strong evidence towards
    good security, but nothing is proven here. So currently, we can only
    assume security, not take it for granted.


    Regards,
    Ertugrul.


    --
    http://ertes.de/


  10. #10
    bealoid
    Guest

    Re: Phorm, mitm, and https

    Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@ertes.de> wrote in news:fpu314$9u4$02
    $1@news.t-online.com:

    > On Sun, 24 Feb 2008 23:13:56 +0100 (CET)
    > Anonymous <cripto@ecn.org> wrote:
    >
    >> The mathematics behind that is undeniable. Modern strong encryption is
    >> virtually uncrackable. Period. If any weaknesses exist they're going
    >> to be in the implementation, not the crypto itself.

    >
    > Unfortunately this is very inaccurate. The mathematics are deniable,
    > because there are no security proofs. There is strong evidence towards
    > good security, but nothing is proven here. So currently, we can only
    > assume security, not take it for granted.


    I agree, but the evidence is very strong for some versions algorithms, no?

    And, until someone does factorisation, cracking an encrypted message is
    almost always going to rely on the implementation of the algorithm in
    software, the deployment of software on the machine, human weaknesses in
    picking good passwords etc.

  11. #11
    nemo_outis
    Guest

    Re: Phorm, mitm, and https

    Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@ertes.de> wrote in news:fpu314$9u4$02
    $1@news.t-online.com:

    > Unfortunately this is very inaccurate. The mathematics are deniable,
    > because there are no security proofs. There is strong evidence towards
    > good security, but nothing is proven here. So currently, we can only
    > assume security, not take it for granted.


    Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
    strong, as when you find a trout in the milk."

    Regards,

  12. #12
    No One
    Guest

    Re: Phorm, mitm, and https

    Ari wrote:
    > On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:
    >
    >> 128k SSL is crackable, with considerable time and effort.

    >
    > I should say lol


    Instead of that, why don't you tell us where you claim you work as the
    employer? That way you can clear up this 'misunderstanding', by proving
    yourself as being truthful when you say you are an *employer*, and you
    can prove me wrong when I say you're not. And, you can accomplish both
    of these objectives at the same time. There's no reason why you
    shouldn't take this opportunity.

    Don't you see? By saying you are somebody that you're not, it's like
    you're taking on another identity. And that makes you no better than us
    anonymous posters that you obviously have a vendetta against.

    That makes you a true hypocrite.

    You can run, but you cannot hide.



  13. #13
    Ari
    Guest

    Re: Phorm, mitm, and https

    On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:

    > Instead of that, why don't you tell us where you claim you work as the
    > employer? That way you can clear up this 'misunderstanding', by proving
    > yourself as being truthful when you say you are an *employer*, and you
    > can prove me wrong when I say you're not. And, you can accomplish both
    > of these objectives at the same time. There's no reason why you
    > shouldn't take this opportunity.
    >
    > Don't you see? By saying you are somebody that you're not, it's like
    > you're taking on another identity. And that makes you no better than us
    > anonymous posters that you obviously have a vendetta against.
    >
    > That makes you a true hypocrite.
    >
    > You can run, but you cannot hide.


    Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
    strong, as when you find a trout in the milk."

    Regards,

    --
    An Explanation Of The Need To Be "Anonymous"
    http://www.penny-arcade.com/comic/2004/03/19

  14. #14
    No One
    Guest

    Re: Phorm, mitm, and https

    Ari wrote:
    > On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:
    >
    >> Instead of that, why don't you tell us where you claim you work as the
    >> employer? That way you can clear up this 'misunderstanding', by proving
    >> yourself as being truthful when you say you are an *employer*, and you
    >> can prove me wrong when I say you're not. And, you can accomplish both
    >> of these objectives at the same time. There's no reason why you
    >> shouldn't take this opportunity.
    >>
    >> Don't you see? By saying you are somebody that you're not, it's like
    >> you're taking on another identity. And that makes you no better than us
    >> anonymous posters that you obviously have a vendetta against.
    >>
    >> That makes you a true hypocrite.
    >>
    >> You can run, but you cannot hide.

    >
    > Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
    > strong, as when you find a trout in the milk."
    >
    > Regards,
    >


    And now you're plagiarizing nemo_outis.

    You're like a panhandling derelict bum without any dignity or
    self-respect whatsoever.

    But, on the flip-side, now I know that I've been right in my estimation
    concerning you. You just handed me the confirmation.

    Something else I know, that maybe you don't: you will only get worse.







  15. #15
    Anonymous
    Guest

    Re: Phorm, mitm, and https

    Ari wrote:

    > On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:
    >
    > > Instead of that, why don't you tell us where you claim you work as the
    > > employer? That way you can clear up this 'misunderstanding', by proving
    > > yourself as being truthful when you say you are an *employer*, and you
    > > can prove me wrong when I say you're not. And, you can accomplish both
    > > of these objectives at the same time. There's no reason why you
    > > shouldn't take this opportunity.
    > >
    > > Don't you see? By saying you are somebody that you're not, it's like
    > > you're taking on another identity. And that makes you no better than us
    > > anonymous posters that you obviously have a vendetta against.
    > >
    > > That makes you a true hypocrite.
    > >
    > > You can run, but you cannot hide.

    >
    > Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
    > strong, as when you find a trout in the milk."



    I'm sorry, what was the name of the company where you're an "employer"
    again? I certainly must have missed it, as you would never post
    unsubstantiated claims to Usenet. Would you?


  16. #16
    Ari
    Guest

    Re: Phorm, mitm, and https

    On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:

    > Ari wrote:
    >> On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:
    >>
    >>> 128k SSL is crackable, with considerable time and effort.

    >>
    >> I should say lol

    >
    > Instead of that, why don't you tell us where you claim you work as the
    > employer? That way you can clear up this 'misunderstanding', by proving
    > yourself as being truthful when you say you are an *employer*, and you
    > can prove me wrong when I say you're not. And, you can accomplish both
    > of these objectives at the same time. There's no reason why you
    > shouldn't take this opportunity.
    >
    > Don't you see? By saying you are somebody that you're not, it's like
    > you're taking on another identity. And that makes you no better than us
    > anonymous posters that you obviously have a vendetta against.
    >
    > That makes you a true hypocrite.
    >
    > You can run, but you cannot hide.


    An old fish once said: "Anonymouse morons speak with forked brains, be thee
    not afraid of one who shakes in the shadows jacking off their pee-pee.
    --
    An Explanation Of The Need To Be "Anonymous"
    http://www.penny-arcade.com/comic/2004/03/19

  17. #17
    Ari
    Guest

    Re: Phorm, mitm, and https

    On Wed, 27 Feb 2008 09:24:16 -0500, No One wrote:

    >>> Don't you see? By saying you are somebody that you're not, it's like
    >>> you're taking on another identity. And that makes you no better than us
    >>> anonymous posters that you obviously have a vendetta against.
    >>>
    >>> That makes you a true hypocrite.
    >>>
    >>> You can run, but you cannot hide.

    >>
    >> Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
    >> strong, as when you find a trout in the milk."
    >>
    >> Regards,
    >>

    >
    > And now you're plagiarizing nemo_outis.


    Sherlock Holmes once said: "Reading is not brilliance although those who
    are faceless may believe themselves so"
    --
    An Explanation Of The Need To Be "Anonymous"
    http://www.penny-arcade.com/comic/2004/03/19

  18. #18
    Ari
    Guest

    Re: Phorm, mitm, and https

    On Wed, 27 Feb 2008 12:08:38 -0500 (EST), Anonymous wrote:

    >>> Don't you see? By saying you are somebody that you're not, it's like
    >>> you're taking on another identity. And that makes you no better than us
    >>> anonymous posters that you obviously have a vendetta against.
    >>>
    >>> That makes you a true hypocrite.
    >>>
    >>> You can run, but you cannot hide.

    >>
    >> Yes, but as Thoreau reminds us, "Some circumstantial evidence is very
    >> strong, as when you find a trout in the milk."

    >
    > I'm sorry, what was the name of the company where you're an "employer"
    > again? I certainly must have missed it, as you would never post
    > unsubstantiated claims to Usenet. Would you?


    As an old sage once told me, "Answer not what is archived especially to the
    Nameless Ones."
    --
    An Explanation Of The Need To Be "Anonymous"
    http://www.penny-arcade.com/comic/2004/03/19

  19. #19
    Jim Watt
    Guest

    Re: Phorm, mitm, and https

    On Thu, 28 Feb 2008 08:04:52 -0500, Ari <arisilverstein@yahoo.com>
    wrote:

    <snip>

    Add to your list of quotes:

    Don't spam newsgroups or people will know you are a tosser.
    --
    Jim Watt
    http://www.gibnet.com

  20. #20
    No One
    Guest

    Re: Phorm, mitm, and https

    Ari wrote:
    > On Mon, 25 Feb 2008 18:29:09 -0500, No One wrote:
    >
    >> Ari wrote:
    >>> On Sun, 24 Feb 2008 21:52:34 -0500, ugh wrote:
    >>>
    >>>> 128k SSL is crackable, with considerable time and effort.
    >>> I should say lol

    >> Instead of that, why don't you tell us where you claim you work as the
    >> employer? That way you can clear up this 'misunderstanding', by proving
    >> yourself as being truthful when you say you are an *employer*, and you
    >> can prove me wrong when I say you're not. And, you can accomplish both
    >> of these objectives at the same time. There's no reason why you
    >> shouldn't take this opportunity.
    >>
    >> Don't you see? By saying you are somebody that you're not, it's like
    >> you're taking on another identity. And that makes you no better than us
    >> anonymous posters that you obviously have a vendetta against.
    >>
    >> That makes you a true hypocrite.
    >>
    >> You can run, but you cannot hide.

    >
    > An old fish once said: "Anonymouse morons speak with forked brains, be thee
    > not afraid of one who shakes in the shadows jacking off their pee-pee.


    It's reassuring to see that you had to return and respond to my post a
    second time.

    That tells me you must have been struggling with the torment it was
    causing you.

    If you just tell us the *name* of the company where you are an employer,
    as you claim, then all of this mental anguish will suddenly disappear.

    You don't like being anonymous, do you? Then take this opportunity to
    become non-anonymous. Otherwise, you will remain anonymous forever.
    Everybody will know that you're not who you say you are.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •