Tuesday, August 4, 2009

Fake SSL

Dear Friends,
Here is a good comment from one of our reader and we think that this will help our other readers to enrich their knowledge in this field and they will also be cautios in future by reading this. So thanks to Mr. Sitangshu for sharing his knowledge with us and as it is a good one we have decided to bring it before all of you in the main posting of our blog. Again thanks to Mr. Sitangshu and here is his comment for all:-


Blogger Sitanshu said...


There were some very interesting guidelines on this title. I still thought that you may like to mention to your visitors about "Trusted Sites".

Trusted Sites are those sites that have a trusted securities certificate. Companies like VERISIGN for example issue "Trusted Security Certificates". That certificate means that the site is protected by SSL (Secured Socket Layer). To obtain such a certificate "VERISIGN" company would thoroughly investigate the ownership and history of the site. Once the site has received such a certification, their clients could be rest assured that they are opening a "Original Site" and not a "Fake Site".

But the irony is that hackers have managed to find a flaw even with the way a browser could be fooled into clicking into a site that is not SSL certified.

During a MITMA (Man in the middle attack phase), an attacker could wait for a person to click on a site that has an SSL certfication. But that site is a bogus site (meaning the person sending the link inserted the trusted site certificate, but the really is not SSL certified" . It has a "Site name that contains a Proper SSL certified site name followed by a blank followed by the rest of the name which is "the complete fake site name".

FAKE SITE = GOOD SITE PARTNAME + NULL + FAKE SITE NAME

Browser stops reading at the NULL character

So when you click on the link with that kind of site name with a null character in the middle of the name followed by the fake site address, you are really conned into entering into a fake site that the browser could not catch. Here you start entering your personal data like credit card number etc. and you become a victim.

I tried explaining a difficult concept in a few words. For more clarity please visit this link on a recent news item...

http://www.msnbc.msn.com/id/32258426/ns/technology_and_science-security/

Please keep writing. We are all indebted to you and your blog.

Sitanshu

August 4, 2009 8:41 AM
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)