Playing back wireless traffic

Here is something you might like to try:

In your web browser settings, activate the option to warn when leaving a secure connection. Restart your browser, and connect to your e-mail provider.

At the initial point you are using a secure SSL connection which allows authentication and then starts your e-mail session. At this point the SSL connection is terminated and your browser should pop up with a warning to this effect.

From that point on, SSL is irrelevant, as you are using an insecure connection. This is the traffic that is being captured.

The issues are then:

1. How do you exit the session.
2. How does the provider respond.
3. How frequently does the provider check their connections.

If you just crash out of it by clicking on the little "x" in the top right corner of your screen, you haven't told the provider's system that you have finished. All you have done is break the link at your end.

If you use the exit or logout option in the mail system, then it depends on how the mail provider has set things up. This should close the session almost immediately............ if it doesn't, then I wouldn't trust them with a loaded potato gun. I don't care how many accounts they have, the "eat more $h1t, three trillion flies can't be wrong" philosophy does not appeal to me in the slightest. Next thing you will be telling us that Enron was a well run corporation because it was large?

The final question is "how often do they check their connections?" This exploit that you are concerned about can only happen if there is a still open connection at the mail provider's end. All it does as far as I can determine is start communicating using what the mail server thinks is an existing session.

If the session has been closed it will not be possible (IMO) to re-open it. You would need to open a new SSL link, authenticate and start a new session.

Just look at this site for example................the last item on the menu bar is "log out" select this option and it will do it. Crash out of the system and you can sometimes get back in.

On the same menu bar go to "quick links" and select the display users online option. Sit and watch that screen and you will see that it refreshes every 60 seconds or so.

So, the issues are to do with how the various e-mail providers have set up and are running their services. It is just like any other computer system, OS, or application.............security depends on the user, who in this case is the e-mail provider.

OK, there is the issue of not logging out properly, which is a customer issue in the first instance, but should be mitigated by a proper housekeeping regime on the part of the provider.

Incidentally, I would very much question your assertion that there are several hundred million paid for e-mail accounts that are vulnerable to this.

Also, of the free ones that are vulnerable, how many are actually active? I have lost count of the number of Hotmail accounts I have had...........they are disposable:D

Quote:

---

Originally Posted by d34dl0k1

I'm almost positive that this is where you are confused.

---

logged out, can still send and receive mail from the account via dontstealmysecrets. Tried it with numerous accounts.

Quote:

---

Originally Posted by nihil

1. How do you exit the session.

---

by logging out.

Quote:

---

Originally Posted by nihil

2. How does the provider respond.

---

by logging me out in the browser.

Quote:

---

Originally Posted by nihil

3. How frequently does the provider check their connections.

---

that's on their end.

Quote:

---

Originally Posted by nihil

If you just crash out of it by clicking on the little "x" in the top right corner of your screen, you haven't told the provider's system that you have finished. All you have done is break the link at your end.

---

logged out.

Quote:

---

Originally Posted by nihil

Incidentally, I would very much question your assertion that there are several hundred million paid for e-mail accounts that are vulnerable to this.....I have lost count of the number of Hotmail accounts I have had...........they are disposable:D

---

There are several hundred million accounts that are vulnerable to this. I do not know the percentage that are for-pay, some of them are. It isn't relevant anyway, because the expectation of for-pay and not-for pay accounts should be identical. These is because they operate in an identical manner within the browser (they differ in allowed storage size, whether they can be accessed via IMAP or POP, etc).

In general, people are warned that using these services at a public hotspot, for example, can reveal the pages that are being viewed. I do not believe (although I could be wrong) that people are generally aware that accessing these accounts can result in a downloading of every mail message, the ability of an outsider to send new mail, or the ability of the outsider to take over use of the account.

I said from the first post that the use of SSL on these accounts appears now to have little value. Except to the extent that it prevents an outsider from going to another location to access an account, I have yet to be dissuaded of this apparent fact.

Quote:

---

logged out, can still send and receive mail from the account via dontstealmysecrets. Tried it with numerous accounts.

---

That indicates an issue with session management with the webmail provider. NOT with SSL. The SSL socket is closed post-authentication and the rest of the session operates over plaintext HTTP. This can be replayed very easily with success. If the replay is still possible after a logout, then that would indicate vulnerability.

The SSL protection on the authentication process does has value, but you're right in saying that it has little value if session management isn't managed properly and session information operates over HTTP.

Now would be a good time to name specifically a webmail provider that has this issue. :)

Exactly my point!

He mentioned Yahoo! and Hotmail:rolleyes: well, they do seem to be vulnerable, but the others he named are only betas..................

Gmail isn't, Yahoo "Full" isn't...................

And the concept of paying for a service that is no different from the "free" one is plainly ridiculous :D

Maybe he should buy a box of carrier pigeons? :eek:

I would agree. The comment about SSL being of little value in these cases is fair enough, but you shouldn't assume that all email providers work like this. I know, for example, that my university webmail uses SSL for the whole session, not just for logging in. Therefore it shouldn't be vulnerable to this sort of attack.

Quote:

---

Originally Posted by nihil

And the concept of paying for a service that is no different from the "free" one is plainly ridiculous

---

Exactly. What I would say is that if you are paying for a service then the supplier has certain responsibilities. In this case, they surely have a responsibility to make sure that access to their service is secure (or at least as secure as they can make it at their end).

If you are saying that this is a problem with paid for services, then surely this is a legal matter that customers could expect reasonable compensation for. I would suspect that in the UK this violates the data protection act - assuming I understand you correctly in what you are saying about the method of attack.

ac

I've started looking at my own mail servers today. My corporate accounts are fine the entire session is encrypted but my personal servers... I am curious to see if the entire session is SSL or just the login. I am using Horde. I rarely, I mean rarely use wireless anything but just curious.