MITM attacks

• certificate chaning
  • an older exploit that's since been fixed
  • summary: certificate chains are always allowed. However, sometimes it's possible to use a "leaf" certificate as an "intermediate" certificate that signs for another cert. If browsers allow this, bad things happen.
  • longer explanation (p. 7-27)
• strip HTTPS
  • technical summary: use an HTTPS session between the MITM and the server, but use an HTTP session to send the data from MITM to end-user.
  • social engineering summary: requires the user to be the one who throws the alarm. In all other cases, modern browsers throw the alarm.
  • longer explanation (p. 28-85)
• extended IDN homograph attack
  • background:
    • attackers initially tried the original homograph attack
    • browsers responded by displaying the punycode version of IDN names for certain TLDs (punycode names start with "xn--" and get weirder from there), to allert the user that something funny may be going on
  • summary: two behaviors are key: 1) punycode isn't given for Chinese TLDs, or other TLDs where IDN names are common, 2) IDN names allow for characters (e.g. fake slash, question mark) that can make a LONG domain name look like a normal URL, with an "unassuming looking" characters at the end, that are really the valid Chinese domain name that's used for this attack
  • longer explanation (p. 87-97)