[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Subject: [IP] Re: Gmail 'hacking' - some perspective
-----Original Message----- From: Strata R Chalup [mailto:strata@virtual.net] Sent: Friday, August 10, 2007 5:37 AM To: Dave Farber Subject: Fwd: [IP] Gmail 'hacking' - some perspective Hi Dave, Roelof Temmingh brings up some excellent points about the security issues, and about SSL. An issue that doesn't get much press regarding SSL 'security' is that one's network (wireless or non) could be doing transparent proxying of SSL. Folks get a false sense of security from having 'secure' web connections and little shiny "is this the right picture?" front ends to sites like banks and credit card companies. So they log into the free wireless at the local coffeeshop, public park, piggyback off a neighbor's network, etc, thinking they're not at risk. Surprise! Their 'gateway' could in fact be a transparent proxy that is phishing them up the wazoo. Read Jon Udell's April 2007 article about enhancing corporate security with an SSL proxy (Webwasher), and now imagine that your local wireless provider, or the neighbor whose open WLAN you're using, has an SSL proxy. They have your goodies, when you think you're doing SSL straight through. If they're proxying everything via an altered SOCKS or similar setup, they can catch the certificate authority lookups, the whole nine yards. Control the gateway and you control reality. If there is anybody out there in security who thinks 'oh, that is not going to happen, it is not worth the trouble', well, that's what they thought about logging for SYN/ACK pairs and the first 40 characters too. I think there's a real market opportunity there for an 800-pound gorilla like Google to do something about it. There's also a market space out there for folks willing to run point of origin based encryption proxies for a niche market. I'd go do it myself if I wanted to go play ISP/ASP, but 24x7 support is a young man's game. best regards, Strata *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* * Artist, Gardener, Engineer, Slacker, Bodhisattva * * Strategic IT Consulting | strata@virtual.net * *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* -------------------------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [interesting-people Home]
Powered by eList eXpress LLC