ESTec Security
Client Login
Email: Forgot
Pass?
Pass:
ESTec Security Search Sitemap Contact Us
Home
 About Us Products & Services Newsroom Education Careers
Quick Finder
Education Main
Security History
Best Practices
Best Practice Resources
Intrusion/Penetration Testing
New Features
 

 

 
Man in the Middle Attack


In a Man in the middle attack the criminal wants to insert himself into a secure communications channel such as the SSL connection that is used in e-commerce and internet banking.

In order to do this the attacker sets up a phony site and redirects your traffic to the phony site. The most common way to redirect you is to send an e-mail to you claiming to come from your bank or credit card company, with a link in it that points to the phony site. Another way is to get a javascript running on your browser, or install a hosts file on your comptuer.

When you connect to the phony site thinking you are connecting to your bank, the computers set up a secure encrypted communications channel. The man in the middle then makes a connection to the bank, and sets up a secure encrypted link. Everything that the bank sends to the man in the middle thinking it is sending to you is copied by the man in the middle and forwarded to you. You see the bank web site, everything looks normal, and you can access your accounts. In the mean time, the man in the middle is recording your passwords and account numbers so he can come back later and empty your bank account.

This attack is possible because your internet browser collects its encryption keys from the site it visits. When you make a secure connection the browser asks the remote site for its encryption key, and sends a key that it generates for you to the remote site. As long as the key sent by the remote site is valid for that site, your browser does not warn you. The fact that you think you are connected to your bank when you are connected to Joe'sPhishing is not available to the browser. All it knows is that Joe'sPhishing.com has a key that properly identifies itself as Joe'sPhishing.com. If you ask your browser for the certificate details you will see that you are connected to Joe'sPhishing, but as long as the site looks like your bank you have no reason to question the validity of the certificate.

There is a solution that will prevent this kind of attack. Your bank needs to set up a certificate authority, and only distribute the encryption keys by handing you a diskette at the bank. This will contain a key that belongs to you and only to you. The man in the middle can still try to set up the attack but without the key that the bank gave to you he cannot see any of the information.

 

 
 
 
About Us | Products & Services | Newsroom | Education | Careers | Contact Us | Privacy Commitment | Terms of Use

©2002 ESTec Systems Corporation. All rights reserved.