On Wed, Aug 07, 2002 at 12:24:19PM -0700, Mike Benham wrote: > First of all, https://www.thoughtcrime.org is NOT the demo site. Several > people were confused by this email, and subsequently concluded that their > browser isn't vulnerable because they got an alert that the "name on the > certificate is invalid." If you would like to see a demo of this > vulnerability, please email me offline. By the way, I've performed full man-in-the-middle with a real bank involved and myselft as victim. It's easy and works perfectly, so I've put a brief description and screenshots at http://arch.ipsec.pl/inteligo.html Details on programs' setup and fake certificate generation are omitted not to provide script-kiddies with a ready recipe. Actually, you can use Mike's https://www.thoughtcrime.org/ as demo site but you first need to DNS spoof your browser into thinking that www.amazon.com has address of 66.93.78.63, which is easy using dnsspoof from dsniff for example. -- Paweł Krawczyk, Kraków, Poland http://echelon.pl/kravietz/ crypto: http://ipsec.pl/ horses: http://kabardians.com/
