more than just making sure https is present

Subverting http sessions on local networks is certainly a hot, quiet topic for the past year. First (most likely not first, but first for my purposes) was Sidejacking. At Defcon Beale spoke about his tool The Middler doing http fiddling. And now I read about Surf Jacking, which pretty much is an interesting bit of http fiddling.

How do you detect that someone is re-routing LAN traffic? If one knows the expected MAC address of the DHCP/Gateway devices, then one can implement firewall rules or just watch for changing ARPs. If you think someone might be hijacking your http sessions, purposely open an https session with some site and see if their cert is valid. If it is, there’s a decently good chance no one is interested in your traffic. If someone is interested and MITMing you, then the cert should give warnings.

For an enterprise, what do you do? Well, I think the only valuable recourse is to make every laptop VPN into the mothership and browse through it using more trusted services. A user can also inspect cookies to make sure they are encrypted, and try their best to ensure that SSL persists. Even watching wire traffic for weird ARPs can help.

The downside of all of this? It’s not easy being informed and secure. I wouldn’t expect any of my users to understand any of this, let alone actually practice it. This is why I think endpoints and especially public local networks are a dangerous hunting ground right now. These are advanced topics, and the only way to combat such advanced topics are long-term education and technological controls (like bumpers in the gutters of bowling lanes).

One thought on “more than just making sure https is present

  1. I think for corporate environments there’s a lot that can be down to secure the switching environment to prevent these sorts of attacks. From MAC-filters and security rules all the way to 802.1x. Whilst each of these have draw-backs and don’t fix the problem entirely, they certainly can help.
    You do highlight a particularly risky, and difficult to detect, scenario though. That being public LANs. You’re pretty much left to your own devices when you have no way in the first place to verify gateway/routing devices. I guess that’s why you have to be extra diligent when surfing in those unsafe waters. For people like us though it’s not much of a problem because we’re aware of the risks, but the mums and dads out there don’t know. I certainly agree with long-term education as a control.

Comments are closed.