From owner-freebsd-security@freebsd.org Mon Sep 26 08:08:08 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DBAD8BEAC28 for ; Mon, 26 Sep 2016 08:08:08 +0000 (UTC) (envelope-from fullermd@over-yonder.net) Received: from mail.infocus-llc.com (mail.infocus-llc.com [199.15.120.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BEAE2B8B for ; Mon, 26 Sep 2016 08:08:08 +0000 (UTC) (envelope-from fullermd@over-yonder.net) Received: from draco.over-yonder.net (c-75-65-60-66.hsd1.ms.comcast.net [75.65.60.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.tarragon.infocus-llc.com (Postfix) with ESMTPSA id 3sjGb40TYDz6V; Mon, 26 Sep 2016 02:59:44 -0500 (CDT) Received: by draco.over-yonder.net (Postfix, from userid 100) id 3sjGb26TmYz2Kx; Mon, 26 Sep 2016 02:59:42 -0500 (CDT) Date: Mon, 26 Sep 2016 02:59:42 -0500 From: "Matthew D. Fuller" To: "Ronald F. Guilmette" Cc: freebsd-security@freebsd.org Subject: Re: Two Dumb Questions Message-ID: <20160926075942.GQ79735@over-yonder.net> References: <32084.1474872154@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <32084.1474872154@segfault.tristatelogic.com> X-Editor: vi X-OS: FreeBSD User-Agent: Mutt/1.6.1-fullermd.4 (2016-04-27) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2016 08:08:08 -0000 Ronald F. Guilmette, and lo! it spake thus: > > Here's my point: If you really have already managed to become the > man-in-the-middle anyway, then couldn't you just dummy up any and > all responses, including those for DNS, in such a way as to make it > all appear to the victim that everything was "normal", you know, > such that he can see the cute little padlock symbol to the left of > the URL in the browser? Dummying up DNS responses is probably the way you got the user to your site in the first place; that would often be easier than trying to intercept their TCP 80/443 web connect tries. But they're not gonna get the cute little padlock unless the browser is happy with the cert, which is going to mean either the user accepts it through the increasingly-irritating-and-dire warnings, or it's signed by some CA the browser accepts. So, you'd either need to get one of the umpteen common CA's to give you one, or sneak an extra CA into their browser (and if you could do that latter, you could bypass a lot of the spoofing work anyway). -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream.