>He asks me to go to Live.com (the Microsoft email site) and enter a random username and password. A few seconds later, the information I just typed appears on his screen. “Now I have the login details of your email account,” Slotboom says. “The first thing I would do is change the password of your account and indicate to other services you use that I have forgotten my password.
What's happening here? The author's browser would report that the connection is un-certified, and that would be a red flag if the author had checked, no?
Would there be any demand for a service that checks if a website should have a valid cert? Would it make sense to have this built into the browser?
The author goes on to describe DNS spoofing in the following paragraph. Perhaps this was used for the live.com attack. He even says, "Within 20 minutes he’s obtained the login details, including passwords for my Live.com, SNS Bank, Facebook, and DigiD accounts."
Even with spoofed DNS, the HTTPS certificates would not match (J. Random Hacker is unlikely to lug around a compromised, trusted root CA certificate, much less show it off to a passerby).
4 comments
[ 4.0 ms ] story [ 19.7 ms ] threadWhat's happening here? The author's browser would report that the connection is un-certified, and that would be a red flag if the author had checked, no?
Would there be any demand for a service that checks if a website should have a valid cert? Would it make sense to have this built into the browser?
It is curious that the only serious vulnerability described in the article lacks any technical details.