tags:

views:

195

answers:

2
Q: 

Can a unathorized user capture a ssl packet, resend it and login?

Here's the scenario:

We have users login on a secure connection. Could an unathorized user capture packets sent from the users machine to the server and then resend them? Would this allow them to login?

This is a homegrown login system running on coldfusion.

A: 

Short answer: not with a normal browser.

Long answer: yes, if the user is not careful, and discards the warning the browser provides for not matching server name/certificate.

Good explanation of how SSL works.

Sunny  2009-01-20 15:54:33
A: 

No.

Because the attacker in this scenario will still need to negotiate his own SSL handshake with the server, he will be unable to replay the victim's packet verbatim.

Chris Kite  2009-02-04 01:06:35
Thanks for the answer. I read this same thing in several other sources.
Brian Bolton  2009-02-06 16:09:27

related questions

How would I go about implementing this algorithm?
Website got Hacked? Site got redirected
Is there an HTTP proxy tool that can substitute browsed content?
What is the difference between DoS and Brute Force attacks?
What is the legal definition of "hacking"?
How to determine an Oracle query without access to source code?
What kind of programming method do you prefer? Success vs. Freedom
How to read source code learn how to use large system
How to increment the TTL value on Windows?
How Can I Find Out *HOW* My Site Was Hacked? How Do I Find Site Vulnerabilities?
What harm can DBO do to a server?
Advice about forming Hackers Club
Is it relatively easy to hack Network Time Protocol(NTP)?
Is there a way I can retrieve sa password in sql server 2005
Reverse engineering war stories
What are some interesting, small Linux kernel projects to help learn the source?
How do I prevent replay attacks?
Can I put an ASP.Net session ID in a hidden form field?
How to store passwords in Winforms application?
What are good books about security, hacking, and computer forensics?
well written open source projects (for learning)?
Looking for a specific FireFox extension / program for Form posting
Tabbed file browsing in Windows
Found a critical bug, but the company doesn't care