[lug] How do you keep your passwords safe while Paying bills and Day Trading at Work?

Ben bluey at iguanaworks.net
Tue Oct 7 16:32:20 MDT 2008

> At the company I work at the administrators have remote access to all
> the company computers. They could easily control where the browser
> looked for the signed key for an SSL certificate then launch a man in
> the middle attack. Or at least in theory this could happen.
Maybe I'm wrong, but my understanding is that the point of https / SSL 
is stop this (man-in-the-middle, DNS hi-jacking, etc) from being 
possible. Assuming your browser isn't compromised, when you go to 
https://mysecurebank.com the browser sees that its SSL certificate was 
signed by Verisign (or whomever). Verisign's public key is hard coded 
into the browser and the browser goes to Verisign to make sure the SSL 
certificate is legit. If the DNS is hacked (or router rerouting 
traffic), the attacker cannot successfully impersonate Verisign because 
he doesn't have Verisign's private key. And he cannot impersonate 
mysecurebank.com because he doesn't have its private key and if he uses 
another public / private key combination, it won't be signed by 
Verisign, so we will know that the certificate isn't right.

Am I missing something? My understanding is that as long as the machine 
you are using isn't compromised, and the server you are connected to 
isn't hacked and it is using a certificate signed by a legit 3rd party, 
there is  no need to worry about what's in between when using https.


More information about the LUG mailing list