Page 6 of 6 FirstFirst ... 456
Results 51 to 56 of 56

Thread: Playing back wireless traffic

  1. #51
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Here is something you might like to try:

    In your web browser settings, activate the option to warn when leaving a secure connection. Restart your browser, and connect to your e-mail provider.

    At the initial point you are using a secure SSL connection which allows authentication and then starts your e-mail session. At this point the SSL connection is terminated and your browser should pop up with a warning to this effect.

    From that point on, SSL is irrelevant, as you are using an insecure connection. This is the traffic that is being captured.

    The issues are then:

    1. How do you exit the session.
    2. How does the provider respond.
    3. How frequently does the provider check their connections.

    If you just crash out of it by clicking on the little "x" in the top right corner of your screen, you haven't told the provider's system that you have finished. All you have done is break the link at your end.

    If you use the exit or logout option in the mail system, then it depends on how the mail provider has set things up. This should close the session almost immediately............ if it doesn't, then I wouldn't trust them with a loaded potato gun. I don't care how many accounts they have, the "eat more $h1t, three trillion flies can't be wrong" philosophy does not appeal to me in the slightest. Next thing you will be telling us that Enron was a well run corporation because it was large?

    The final question is "how often do they check their connections?" This exploit that you are concerned about can only happen if there is a still open connection at the mail provider's end. All it does as far as I can determine is start communicating using what the mail server thinks is an existing session.

    If the session has been closed it will not be possible (IMO) to re-open it. You would need to open a new SSL link, authenticate and start a new session.

    Just look at this site for example................the last item on the menu bar is "log out" select this option and it will do it. Crash out of the system and you can sometimes get back in.

    On the same menu bar go to "quick links" and select the display users online option. Sit and watch that screen and you will see that it refreshes every 60 seconds or so.

    So, the issues are to do with how the various e-mail providers have set up and are running their services. It is just like any other computer system, OS, or application.............security depends on the user, who in this case is the e-mail provider.

    OK, there is the issue of not logging out properly, which is a customer issue in the first instance, but should be mitigated by a proper housekeeping regime on the part of the provider.

    Incidentally, I would very much question your assertion that there are several hundred million paid for e-mail accounts that are vulnerable to this.

    Also, of the free ones that are vulnerable, how many are actually active? I have lost count of the number of Hotmail accounts I have had...........they are disposable
    Last edited by nihil; April 7th, 2007 at 11:04 AM.

  2. #52
    Junior Member
    Join Date
    Mar 2007
    Posts
    20

    logged out.

    Quote Originally Posted by d34dl0k1
    I'm almost positive that this is where you are confused.
    logged out, can still send and receive mail from the account via dontstealmysecrets. Tried it with numerous accounts.
    Quote Originally Posted by nihil
    1. How do you exit the session.
    by logging out.
    Quote Originally Posted by nihil
    2. How does the provider respond.
    by logging me out in the browser.
    Quote Originally Posted by nihil
    3. How frequently does the provider check their connections.
    that's on their end.
    Quote Originally Posted by nihil
    If you just crash out of it by clicking on the little "x" in the top right corner of your screen, you haven't told the provider's system that you have finished. All you have done is break the link at your end.
    logged out.
    Quote Originally Posted by nihil
    Incidentally, I would very much question your assertion that there are several hundred million paid for e-mail accounts that are vulnerable to this.....I have lost count of the number of Hotmail accounts I have had...........they are disposable
    There are several hundred million accounts that are vulnerable to this. I do not know the percentage that are for-pay, some of them are. It isn't relevant anyway, because the expectation of for-pay and not-for pay accounts should be identical. These is because they operate in an identical manner within the browser (they differ in allowed storage size, whether they can be accessed via IMAP or POP, etc).

    In general, people are warned that using these services at a public hotspot, for example, can reveal the pages that are being viewed. I do not believe (although I could be wrong) that people are generally aware that accessing these accounts can result in a downloading of every mail message, the ability of an outsider to send new mail, or the ability of the outsider to take over use of the account.

    I said from the first post that the use of SSL on these accounts appears now to have little value. Except to the extent that it prevents an outsider from going to another location to access an account, I have yet to be dissuaded of this apparent fact.

  3. #53
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    logged out, can still send and receive mail from the account via dontstealmysecrets. Tried it with numerous accounts.
    That indicates an issue with session management with the webmail provider. NOT with SSL. The SSL socket is closed post-authentication and the rest of the session operates over plaintext HTTP. This can be replayed very easily with success. If the replay is still possible after a logout, then that would indicate vulnerability.

    The SSL protection on the authentication process does has value, but you're right in saying that it has little value if session management isn't managed properly and session information operates over HTTP.

    Now would be a good time to name specifically a webmail provider that has this issue.

  4. #54
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Exactly my point!

    He mentioned Yahoo! and Hotmail well, they do seem to be vulnerable, but the others he named are only betas..................

    Gmail isn't, Yahoo "Full" isn't...................

    And the concept of paying for a service that is no different from the "free" one is plainly ridiculous

    Maybe he should buy a box of carrier pigeons?

  5. #55
    Custom User
    Join Date
    Oct 2001
    Posts
    503
    I would agree. The comment about SSL being of little value in these cases is fair enough, but you shouldn't assume that all email providers work like this. I know, for example, that my university webmail uses SSL for the whole session, not just for logging in. Therefore it shouldn't be vulnerable to this sort of attack.

    Quote Originally Posted by nihil
    And the concept of paying for a service that is no different from the "free" one is plainly ridiculous
    Exactly. What I would say is that if you are paying for a service then the supplier has certain responsibilities. In this case, they surely have a responsibility to make sure that access to their service is secure (or at least as secure as they can make it at their end).

    If you are saying that this is a problem with paid for services, then surely this is a legal matter that customers could expect reasonable compensation for. I would suspect that in the UK this violates the data protection act - assuming I understand you correctly in what you are saying about the method of attack.

    ac

  6. #56
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I've started looking at my own mail servers today. My corporate accounts are fine the entire session is encrypted but my personal servers... I am curious to see if the entire session is SSL or just the login. I am using Horde. I rarely, I mean rarely use wireless anything but just curious.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Similar Threads

  1. PIX: Access Control Lists and Content Filtering
    By Nokia in forum The Security Tutorials Forum
    Replies: 0
    Last Post: October 23rd, 2006, 04:58 PM
  2. Capturing, Sanitizing and posting Ethereal dumps.
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 13
    Last Post: August 12th, 2004, 09:35 PM
  3. Building a wireless nervous system
    By SDK in forum AntiOnline's General Chit Chat
    Replies: 0
    Last Post: May 12th, 2004, 04:02 PM
  4. HaHaHa Akamaitechnologies Port Scan
    By mathgirl32 in forum IDS & Scanner Discussions
    Replies: 10
    Last Post: February 3rd, 2003, 07:20 PM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •