Quote:
Originally Posted by ai-danno
No offense taken, in fact I appreciate the comment. But when you mention your wariness about SSL security, are you referring to a "man-in- the-middle" or attack? I think that those are do-able for sure, but I assume a low risk on them. Of course, low-risk is not no-risk, and I have not personally shopped online or done any online banking from a wireless hotspot. Also, the risk for a "man-in-the-middle" is also present on wired network paths, not just wireless, but again, the risk is low, and depends on the target website's implementation of SSL.
More to the point, I think that unless the site you are going to with sensitive information has properly implemented SSL (is completely SSL'd throughout the site and not just on authentication) then you shouldn't be visiting that site with sensitive information in the first place.
But if you are referring to something else... let me know. But my assumptions about SSL are that since it's encrypted traffic, and barring any insecure implementations of SSL, it's a secure way to communicate (aside from outlandish uber-hacker gangs and rogue governments... but if that's a realistic fear I wouldn't get online in the first place )
|
Yes, the attack over SSL is MiM (man in the middle). SSL itself is
practically impossible to crack, but it doesnt mean you are safe when surfing with https sites at all. The MiM doesnt attempt to crack SSL, in stead, with bogus private & public keys, it pretends to be the trusted party (the https site) you are supposed to deal with. So, consequencely, you blindly give your private info to the bad guy.
I wouldnt say its a low risk. Believe it or not, it would take a script kiddie only
~5mins in total (including the time to download software) to finish every step needed to retrieve the password over SSL. Also, it requires zero technical knowledge. All you have to do is point and click as per instruction. If the program is widespread one day, it would be a disaster.