[PLUG] Secret message web page

Jason Martin nsxfreddy at gmail.com
Mon Apr 16 02:43:26 UTC 2007


On 4/14/07, Jason Martin <nsxfreddy at gmail.com> wrote:
> On 4/14/07, Keith Lofstrom <keithl at kl-ic.com> wrote:
> >
> > I set up a "secret message to Keith webpage".  I think.  As I am
> > not a security guru, I could use some help checking my logic.
> >
> > PGP is too hard for most people to figure out.  About every 6 months
> > or so, some random computer-illiterate semistranger needs to send
> > me a short secret message, say to send a password or encryption key.
> > These are not high grade defense-level secrets, but a little more
> > than I want to trust to clear-text email.
> >
> > Hence the webpage.  It is a simple form, accessable through port 443
> > (SSL https web service) on my server:
> > --------------------------------------------------------------------
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head>
> > <meta name="description" content="Send Keith a Message form">
> > <title>Send Keith a Message</title>
> > </head><body>
> > <FORM METHOD=POST ACTION="https://www.keithl.com/cgibin/XXXXXXXXX.cgi">
> >    <INPUT TYPE="hidden" NAME="FORMVERSION" VALUE="XXXXXXXX.html 2007Apr14 KHL">
> >    Enter text to send to Keith Lofstrom in this text box
> >    <INPUT TYPE="submit" NAME="EXECUTE_OPTION" VALUE="Send page to Keith">
> >    <br><TEXTAREA ROWS=20 COLS=90 NAME="TEXT53"></TEXTAREA>
> > </FORM></body></html>
> > --------------------------------------------------------------------
> >
> > The POST data is sent to the XXXXXXXX.cgi script (name obscured) on
> > my server, which sends back a confirmation page (https of course)
> > and emails me (internally, over a VPN link) the information and
> > some environment information such as the date, the script and form
> > names, the IP address of the remote browser, and whether HTTPS is
> > turned on.
> >
> > This is not bulletproof;  it is a self-signed cert, for example, so
> > it is somewhat vulnerable to a man-in-the-middle attack.  But hey,
> > if Eve works that hard to access the information, she would be more
> > interesting to talk to, anyway.  :-)
> >
> > Is this an acceptable approach, or it it too weak to bother with?
>
> This provides you with no real security, since a MITM attacker can
> intercept the initial connection and provide their own self-signed
> certificate to the browser, simultaneously establishing a connection
> to your server.  They can then decrypt and re-encrypt the session.
> Since your cert is self-signed, the user has no way to determine
> whether your cert or the MITM cert is legit.
>
> If you can provide the cert signature to the person ahead of time,
> they could verify it when the self-signed warning pops up.

It occurred to me that I focused on the negatives of your approach,
and missed one positive.  With the self-signed certificate, you do
ensure that the message cannot be read by a *passive* attacker (i.e.
someone just sniffing and capturing the traffic).  In order to read it
the attacker must actively perform a MITM attack.  So you are in a
sense providing a bit more security.

Jason



More information about the PLUG mailing list