Not sure if I can ask this on this forum

[pdurrant]

Quote:

Originally Posted by ApK

BTW, does anyone know: Can a MitM attack be successfully executed, in the real world, if you check that the server shows a properly issued SSL cert? That is, assuming your browser is not compromised, if you actually check that the cert is issued to the correct domain from a trusted root, is there a legitimate chance of there being a MitM? I'm seriously asking because I'm not that versed in the implementation details of SSL or proxies.

I think that if you check the certificate fully, there can't be a MITM, at least, not without compromising the server or the trusted roots.

But I'm by no means an expert.

[HarryT]

This is perhaps why modern banking websites (mine at least) don't ask you to enter your complete password, but only selected letters from it. Information intercepted in such a way would not be sufficient to allow anyone to gain access to your account.

[ApK]

Quote:

Originally Posted by HarryT

This is perhaps why modern banking websites (mine at least) don't ask you to enter your complete password, but only selected letters from it. Information intercepted in such a way would not be sufficient to allow anyone to gain access to your account.

Kossowsky's Law of Network Security: If there is a legal way in, then there is an illegal way in.

If those few characters give you access, they could give not you access as well.

I've never seen the partial pwd thing you're describing, but it essentially sounds like a variation of a session key. ie, the few characters that work THIS time would not be the same few characters that work THE NEXT TIME, right?

ApK

[HarryT]

Quote:

Originally Posted by ApK

I've never seen the partial pwd thing you're describing, but it essentially sounds like a variation of a session key. ie, the few characters that work THIS time would not be the same few characters that work THE NEXT TIME, right?

That's right. It asks you at random for, say, the 2nd, 4th, and 7th character of your password.

[pdurrant]

Quote:

Originally Posted by HarryT

That's right. It asks you at random for, say, the 2nd, 4th, and 7th character of your password.

My late sister-in-law wrote to the bank to check it was OK when one time it asked her for the 1st, 2nd and 3rd letters of her password.

Not many people understand true randomness.

[eschwartz]

Quote:

Originally Posted by ApK

BTW, does anyone know: Can a MitM attack be successfully executed, in the real world, if you check that the server shows a properly issued SSL cert? That is, assuming your browser is not compromised, if you actually check that the cert is issued to the correct domain from a trusted root, is there a legitimate chance of there being a MitM? I'm seriously asking because I'm not that versed in the implementation details of SSL or proxies.

Disclaimer: I am going to join you all in not being a security expert.

But as I understand, this is the exact threat which HTTP Strict Transport Security protects against.

MITM is usually leveraged to strip the SSL and relies on the user not knowing that the website should use HTTPS.
Of course, there are some attacks that strike against TLS itself. But generally those get fixed by software updates (not much else you can do really).


As you say, this all depends on your computer (and the certificate authority!) not being compromised. If that happens, you've lost before you started fighting.