Web Spoofing

Anonymous · Post by **Anonymous** » Sun Jun 05, 2005 12:14 pm

Web Spoofing is way in which one can bluff users..

It is more or less creating a whole image of world wide web...

The attacker comes in between user and the server and can either watch the data exchange and can edit and sent to either of them...

For example if there is a site http://neworder.box.sk
If a user requests for this site, if that site is spoofed then the request goes to the attacker's server first then he requests for the original neworder.box.sk and takes data and manipulates it and sent to the user....

In this way an attacker can see the what data is being exchanged and can manipulate tooo..

Here Everything must be dynamic. I want to know implementing Java is the only way or can be done or is there any other way ??

Please help me in this regard

Archived topic from Iceteks, old topic ID:3372, old post ID:27253

Red Squirrel · Post by **Red Squirrel** » Sun Jun 05, 2005 1:53 pm

Well spoofing does require the attacker to have physical access to the transmission lines anywhere between the user and the server, but it can be as easy as a virus or host file edit in the other's PC. Only way to be protected is encryption, so even if they do access the data, they can't decrypt it. 128bit security is extremely hard to decrypt and brute force is not an option due to so many possibilities. (2^128 I believe) Mind you, the FBI can do it a different way which is quick, so any hacker who used to work for the FBI could possibly do it fast enough provided they have the right equipment.

I don't think java or anything could prevent it, client side + server side authentication could help make a more secure connection, but even then the attacker knows what the client is sending to the server anyway. IP authentication is really the only way I can think of. Resolve the host, and make sure the IP is in fact that host. But that's something that would have to be done manually, and you have to know the actual IP of the host beforehand, (or use an online whois or resolve service). Mind you, such authentication system could maybe be done in java or javascript.

Archived topic from Iceteks, old topic ID:3372, old post ID:27254

Streety · Post by **Streety** » Sun Jun 05, 2005 2:17 pm

I could be wrong but to me it sounds like he is asking how to spoof and not how to prevent it.

I doubt the FBI actually break the encryption. I would assume they just demand the key from the issuing authority.

Archived topic from Iceteks, old topic ID:3372, old post ID:27255

Cold Drink · Post by **Cold Drink** » Sun Jun 05, 2005 3:25 pm

FBI, no. CIA or NSA... maybe... Its more likley one would exploit a weakness in the protocols and implementations than brute the keys. This is actualy easier to do than one might expect under certian circumstances such as over an unprotected wireless connection or after a targeted attack.

Using SSL (HTTPS uses SSL) can help, but how many users would just hit "continue anyway" if they went to a https link and got a cert warning?

There are too many different ways this to really discuss.

Archived topic from Iceteks, old topic ID:3372, old post ID:27256