On Mon, 21 Nov 2005, Randy Bush wrote:
As others pointed out (to me as well), for a _man in the middle_ attack (e.g. impersonating www.paypal.com) it is necessary to play ARP games or otherwise insert yourself in the flow of traffic.
not really. you just need to be there first with a bogus, redirecting, dns response.
That's right. Remember all they need to do is sniff wireless traffic for dns request for "paypal.com" and then send a UDP packet back as an answer (from closer location - might even be on the wireless network) that has faked its origin as if it came from dns server the user asked and has some other address for paypal. The good news is that if SSL is used (dns request is due to user going to https://www.paypal...) then it will not properly work because they can not fake SSL cert for paypal from verisign, so some kind of warning about cert being self-signed and not issued by known provider would probably be displayed, but many users will ignore such warnings. But lets know imagine different situation and instead of paypal, lets imagine user doing ssh to shell.mywork.com. Now lets imagine that dns request has been sniffed and instead of getting real address for shell.mywork.com, you get an address for wireless ip address of someone else nearby that has redirecting ssh server. That special ssh server would provide its own cert pretending to be shell.mywork.com and would internally do proxy to another ssh session that is actually going to real shell.mywork.com. Ho do you like this scenario? So just in case do remember that when you ssh from insecure wireless network node (even on NANOG conference) that you do it to the server that you already previously did ssh to (and so have public key in .ssh/known_hosts) and dont just assume that because its ssh you're safe. -- William Leibzon Elan Networks william@elan.net