"Free WiFi" man-in-the-middle scam seen in the wild.

Florian Weimer fw at deneb.enyo.de
Sat Jan 27 07:27:59 EST 2007

* Perry E. Metzger:

> If you go over to, say, www.fidelity.com, you will find that you can't
> even get to the http: version of the page any more -- you are always
> redirected to the https: version.

Of course, this only helps if users visit the site using bookmarks
that were created after the switch.  If they enter "fidelity.com" (or
even just "fidelity") into their browsers to access it, switch to
HTTPS won't help at all.  Perhaps this explains why someone might
think that serving the login page over HTTPS is just security theater.

In the same "we use use HTTPS and are still vulnerable to MITM
attacks" department, there's the really old issue of authenticating
cookies which are not restricted to HTTPS, but will be happily sent
over HTTP as well. *sigh*

Apart from that, the article you linked to does not even mention
actual attacks with an identity theft motive.  What's worse, the
suggested countermeasures don't protect you at all.  Ad-hoc networks
are insecure, and those with an access point are secure?  Yeah, right.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list