Comments on: Yubikey, Trojans and Twitter

By: Didier Stevens

Didier Stevens — Thu, 03 Dec 2009 17:19:28 +0000

OTPs have to be intercepted and queued for this to work. If you exclude trojans and HTTP(S) man-in-the-middle, then yes, it will not work.

By: Roger Heathcote

Roger Heathcote — Thu, 03 Dec 2009 04:35:25 +0000

If Alice or Bob have a local keylogging trojan on their machines then yes, I can see how it’s game over for them but I meant solve in the context of the local LAN or wider internet.

I was under the impression that as the latest TLS revision fixes https’ arp poisoning vulnerability in a local LAN context that once a secure connection is established by visiting the logon page then no further snooping / interference would be possible from machines on the LAN or the internet. Is this not correct? Sorry if I’m being dense but I’d like to understand the threat as I’m considering creating a yubikey secured product sometime next year!

Thanks,

Roger.

By: Didier Stevens

Didier Stevens — Wed, 02 Dec 2009 21:33:51 +0000

No, as a Trojan can intercept HTTPS before the data stream gets encrypted.

By: Roger Heathcote

Roger Heathcote — Wed, 02 Dec 2009 06:32:25 +0000

If the client and server are using the latest TLS (that fixes the recent session renegotiation bug similar to the attack you describe above) then wouldn’t ensuring the server only offers sensitive pages over https solve the problem?

Roger Heathcote.

By: Andrew Hay » Blog Archive » links for 2009-08-26

Andrew Hay » Blog Archive » links for 2009-08-26 — Wed, 26 Aug 2009 20:05:52 +0000

[...] Yubikey, Trojans and Twitter « Didier Stevens (tags: yubikey otp) [...]