PDA

View Full Version : [all variants] Checking sites for validity! Future security!



savagenator
April 30th, 2008, 03:25 AM
Hello everyone. My question comes from an IT perspective: How do I check if sites are actually the real deal and not some hacked computer pretending to be the site (such as phishing myspace does, it says www.myspace.com on top, but its actually a invalid server trying to get your password) Something like a key to check, like repositories do?


Also, how do I check for the md5sum of a file if the site does not post it (like firefox? or quicktime?)

Thank you!

cdenley
April 30th, 2008, 05:16 PM
Are you concerned about phishing e-mails where people send links to ip addresses or incorrect domain names? If this is the case, just don't go to ip addresses or domains you aren't familiar with, and definitely don't give them any sensitive data.

Are you concerned about DNS spoofing where you go to the correct domain name, but it resolves to an IP address of a compromised system? There wouldn't be any way to detect if a site is being spoofed using an MD5 hash, because where would the hash come from, the web server which is already being spoofed? I don't think a site using an SSL certificate signed by a certificate authority can be spoofed, though.

If you want the md5sum of a page's html content


wget -q -O - http://ubuntuforums.org/|md5sum

movieman
April 30th, 2008, 06:10 PM
I don't think a site using an SSL certificate signed by a certificate authority can be spoofed, though.

Only so long as you check the URL and/or certificate.

Most of the phishing emails I've received are truly lame, trying to get me to go to something like:

https: //www.phishing.com/www.mybank.com/stealmylogin.html

Which is obviously fake, but if they had an SSL cert for www. phishing.com, you'd see a padlock in the browser bar and mght assume it was a valid connection unless you checked the URL or the certificate that was being used.

One benefit of running NoScript in Firefox is that I have my bank sites whitelisted, so if I see a NoScript warning bar I know that I'm not at a valid site or the bank have changed some URL and I need to check it out.

Obviously they could use a DNS hack so their site appears to be www. mybank.com, but they won't have a signed SSL certificate to prove it, so you'll get a warning message saying it's actually for www. phishing.com.

cdenley
April 30th, 2008, 10:07 PM
Obviously they could use a DNS hack so their site appears to be www.mybank.com, but they won't have a signed SSL certificate to prove it, so you'll get a warning message saying it's actually for www.phishing.com.

Either that or you will get a warning saying it is a self-signed certificate, I think. The same goes for man-in-the-middle attacks where the attacker injects their own SSL certificate in order to decrypt your data. That's why I think self-signed SSL certificates give people a false sense of security.

savagenator
April 30th, 2008, 10:23 PM
Thank you for your replies. I am worried about if sites are compromised and maybe firefox.exe is replaced with a different firefox.exe (it won't happen, but if it did...) with a virus (same site, getfirefox.com?)

how do I check SSL certificates?

and can I get wget to check the md5sum of a file on another server?

cdenley
May 1st, 2008, 03:27 AM
Thank you for your replies. I am worried about if sites are compromised and maybe firefox.exe is replaced with a different firefox.exe (it won't happen, but if it did...) with a virus (same site, getfirefox.com?)

how do I check SSL certificates?

and can I get wget to check the md5sum of a file on another server?

If someone is able to replace your local firefox executable, then your system is already compromised, and DNS spoofing or phishing scams are the least of your worries.
EDIT:I misunderstood the firefox example. See twisted_steel's post.

Firefox, or any respectable browser, should always check the SSL certificate if the site uses SSL (URL has https:// prefix). If you don't get any warning on an encrypted page, it's not being spoofed. If you get a warning, the data will be encrypted, but you don't know if the server is being spoofed.

You can download the file then check the md5 sum using the command I posted before. There is nothing in the HTTP protocol to retrieve md5 checksums generated by the server. It is possible to create a web script to generate checksums of files on the server for users, but this doesn't protect you from spoofed servers since the spoofed server would generate an md5 sum that matches the spoofed file.

twisted_steel
May 1st, 2008, 04:40 AM
In regards to getting the md5sum of a file, your best bet is to run md5sum on the file and compare it to what you see on the website. The problem is that not all sites have this md5sum for the files, so there is really nothing to compare it to. I wouldn't necessarily look on other sites for the md5sum because there is no guarantee that it is correct. I think it is better, if possible, to get it from the original site, assuming the file and the corresponding md5sum were not modified on the server by an attacker. Some projects offer signed packages with GPG to show that they were uploaded by the correct person.

I did finally find the md5sums for Firefox, which didn't seem readily mentioned on their site. Find the release you are looking for on http://releases.mozilla.org/pub/mozilla.org/firefox/releases/ and then select the version. For example, for 2.0.0.14, the directory is
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.14/. There is a MD5SUMS in there, along with SHA1SUMS file and a GPG key. Note that it says in the file to verify the GPG key somewhere else, as the file could have been modified.

Once you have the file and md5sum to compare it to, simply open up a terminal and type

md5sum file.tar.gzwhere file.tar.gz is the file you just downloaded. Check the output against the md5sum listed in the file. There is also a sha1sum command for verifying the SHA1 hash.