is ff immune to SSL Evading Trojans? - Mozilla

This is a discussion on is ff immune to SSL Evading Trojans? - Mozilla ; Hi All, I have been reading about SSL Evading Trojans that circumvent SSL protections when log into SSL protected web sites. http://www.infoworld.com/article/06/...html?s=feature http://www.infoworld.com/article/06/...html?s=feature The article did not mention if this is restricted to IE or to all browsers. Is ff ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: is ff immune to SSL Evading Trojans?

  1. is ff immune to SSL Evading Trojans?

    Hi All,

    I have been reading about SSL Evading Trojans that
    circumvent SSL protections when log into SSL protected
    web sites.

    http://www.infoworld.com/article/06/...html?s=feature
    http://www.infoworld.com/article/06/...html?s=feature

    The article did not mention if this is restricted to IE
    or to all browsers. Is ff immune to SSL Evading Trojans?

    -Todd

  2. Re: is ff immune to SSL Evading Trojans?

    "Todd and Margo Chester" wrote in message
    news:Kr6dnetlEuLlFvvZnZ2dnUVZ_s6dnZ2d@mozilla.org. ..
    > Hi All,
    > I have been reading about SSL Evading Trojans that
    > circumvent SSL protections when log into SSL protected
    > web sites.
    > http://www.infoworld.com/article/06/...html?s=feature
    > http://www.infoworld.com/article/06/...html?s=feature
    > The article did not mention if this is restricted to IE
    > or to all browsers. Is ff immune to SSL Evading Trojans?
    > -Todd


    My guess is that the trojan could pick up the keystrokes of any browser it
    was designed for. Once a rogue process has been installed, it pretty much
    has the run of the computer, doesn't it? I evaluate browsers, (among
    other things), on the ability of a trojan to automatically get installed
    without user interaction. The main vunerability on a PC is a user who
    wants to run his/her browser with root, administrative or power user
    privileges. Can't defend against that kind of user.
    The account I run my browser (XP) under doesn't permit installs. This
    account can't populate its startup box or run registry key. If the trojan
    can't get installed, it can't intercept keystrokes. On my solaris, I run
    the browser as a user in low privileged groups.
    ----



  3. Re: is ff immune to SSL Evading Trojans?

    Rghytl wrote:
    > "Todd and Margo Chester" wrote in message
    > news:Kr6dnetlEuLlFvvZnZ2dnUVZ_s6dnZ2d@mozilla.org. ..
    >> Hi All,
    >> I have been reading about SSL Evading Trojans that
    >> circumvent SSL protections when log into SSL protected
    >> web sites.
    >> http://www.infoworld.com/article/06/...html?s=feature
    >> http://www.infoworld.com/article/06/...html?s=feature
    >> The article did not mention if this is restricted to IE
    >> or to all browsers. Is ff immune to SSL Evading Trojans?
    >> -Todd

    >
    > My guess is that the trojan could pick up the keystrokes of any browser it
    > was designed for. Once a rogue process has been installed, it pretty much
    > has the run of the computer, doesn't it? I evaluate browsers, (among
    > other things), on the ability of a trojan to automatically get installed
    > without user interaction. The main vunerability on a PC is a user who
    > wants to run his/her browser with root, administrative or power user
    > privileges. Can't defend against that kind of user.
    > The account I run my browser (XP) under doesn't permit installs. This
    > account can't populate its startup box or run registry key. If the trojan
    > can't get installed, it can't intercept keystrokes. On my solaris, I run
    > the browser as a user in low privileged groups.
    > ----
    >
    >

    Running in any other mode than administrator is, to me, much like trying
    to play the piano with a baseball mit on. I often have several things
    going on at once, and the browser is only one of them, and the others
    often require admin privileges. What works for one often isn't useful
    to another. On the other hand, I don't get trojans, viruses, or other
    malware because of other operating practices.

  4. Re: is ff immune to SSL Evading Trojans?

    Todd and Margo Chester wrote:
    > Hi All,
    >
    > I have been reading about SSL Evading Trojans that
    > circumvent SSL protections when log into SSL protected
    > web sites.
    >
    > http://www.infoworld.com/article/06/...html?s=feature
    >
    > http://www.infoworld.com/article/06/...html?s=feature
    >
    >
    > The article did not mention if this is restricted to IE
    > or to all browsers. Is ff immune to SSL Evading Trojans?
    >
    > -Todd

    No program is 'immune' to a trojan, once its been installed on your system.
    A simple, safe and effective means to protect yourself is;
    Dont download from the internet
    If you must: Download the files and quarantine it for a week
    Ask around to see if there are any known problems with the file
    Ask around to see if there are any known problems with the source
    After the week (if there are no known problems) check the
    file with your AV (or Trojan Detector) program
    Install/run it.

    (downloading includes running .exe files you see on the web)

    Do the same with attachments in email, and you wont have to worry about
    trojans or viruses either

  5. Re: is ff immune to SSL Evading Trojans?

    Ron Hunter wrote:

    > Rghytl wrote:
    >
    >> "Todd and Margo Chester" wrote in
    >> message news:Kr6dnetlEuLlFvvZnZ2dnUVZ_s6dnZ2d@mozilla.org. ..
    >>
    >>> Hi All,
    >>> I have been reading about SSL Evading Trojans that
    >>> circumvent SSL protections when log into SSL protected
    >>> web sites.
    >>> http://www.infoworld.com/article/06/...html?s=feature
    >>>
    >>> http://www.infoworld.com/article/06/...html?s=feature
    >>>
    >>> The article did not mention if this is restricted to IE
    >>> or to all browsers. Is ff immune to SSL Evading Trojans?

    >>
    >> My guess is that the trojan could pick up the keystrokes of any
    >> browser it was designed for. Once a rogue process has been installed,
    >> it pretty much has the run of the computer, doesn't it? I evaluate
    >> browsers, (among other things), on the ability of a trojan to
    >> automatically get installed without user interaction. The main
    >> vunerability on a PC is a user who wants to run his/her browser with
    >> root, administrative or power user privileges. Can't defend against
    >> that kind of user.
    >> The account I run my browser (XP) under doesn't permit installs. This
    >> account can't populate its startup box or run registry key. If the
    >> trojan can't get installed, it can't intercept keystrokes. On my
    >> solaris, I run the browser as a user in low privileged groups.
    >>

    > Running in any other mode than administrator is, to me, much like trying
    > to play the piano with a baseball mit on. I often have several things
    > going on at once, and the browser is only one of them, and the others
    > often require admin privileges. What works for one often isn't useful
    > to another. On the other hand, I don't get trojans, viruses, or other
    > malware because of other operating practices.


    Ron,

    I hear that. Here is an interesting idea from Mark Russinovich at
    Sysinternals:

    Running as Limited User - the Easy Way

    (http://www.sysinternals.com/blog/200...-easy-way.html)

    Quote: An alternative to running as limited user is to instead run
    only specific Internet-facing applications as a limited user that are
    at greater risk of compromise, such as IE and Outlook.

    And from the "just when you thought it could not get any worse"
    department:

    Windows Vista Product Editions
    (http://www.winsupersite.com/showcase...ions_final.asp)

    With WinXP, the Home Edition limited user is so crippled to be of
    almost no use for everyday computing. Now, try to figure out which
    Vista product edition offers what capability for which user.

    IMO, the problem is, and always will be, the GUI user profiles. These
    preclude the rapid toggling between admin and limited user accounts.
    This is in contrast to the *nix superuser (root) account, but then
    with the superuser account one is usually dealing with the CLI, not a
    bloated GUI interface.

    Ron

  6. Re: is ff immune to SSL Evading Trojans?

    Moz Champion (Dan) wrote:
    > Todd and Margo Chester wrote:
    >> Hi All,
    >>
    >> I have been reading about SSL Evading Trojans that
    >> circumvent SSL protections when log into SSL protected
    >> web sites.
    >>
    >> http://www.infoworld.com/article/06/...html?s=feature
    >>
    >> http://www.infoworld.com/article/06/...html?s=feature
    >>
    >>
    >> The article did not mention if this is restricted to IE
    >> or to all browsers. Is ff immune to SSL Evading Trojans?
    >>
    >> -Todd

    > No program is 'immune' to a trojan, once its been installed on your system.
    > A simple, safe and effective means to protect yourself is;
    > Dont download from the internet
    > If you must: Download the files and quarantine it for a week
    > Ask around to see if there are any known problems with the file
    > Ask around to see if there are any known problems with the source
    > After the week (if there are no known problems) check the
    > file with your AV (or Trojan Detector) program
    > Install/run it.
    >
    > (downloading includes running .exe files you see on the web)
    >
    > Do the same with attachments in email, and you wont have to worry about
    > trojans or viruses either


    Those are some of the measures which constitute 'safe hex'. I
    frequently download programs, and don't quarantine them, but I only
    download from sites I trust and my computer is pretty well protected
    from virus and trojan invasion. At least I haven't had either in
    several years. I did get a trojan about 1996, because I downloaded it
    intentionally to hex dump it, and when I went to select it, the mouse
    'bounced', executing the program. That was the last time that will happen!

  7. Re: is ff immune to SSL Evading Trojans?

    Ron Lopshire wrote:
    > Ron Hunter wrote:
    >
    >> Rghytl wrote:
    >>
    >>> "Todd and Margo Chester" wrote in
    >>> message news:Kr6dnetlEuLlFvvZnZ2dnUVZ_s6dnZ2d@mozilla.org. ..
    >>>
    >>>> Hi All,
    >>>> I have been reading about SSL Evading Trojans that
    >>>> circumvent SSL protections when log into SSL protected
    >>>> web sites.
    >>>> http://www.infoworld.com/article/06/...html?s=feature
    >>>>
    >>>> http://www.infoworld.com/article/06/...html?s=feature
    >>>>
    >>>> The article did not mention if this is restricted to IE
    >>>> or to all browsers. Is ff immune to SSL Evading Trojans?
    >>>
    >>> My guess is that the trojan could pick up the keystrokes of any
    >>> browser it was designed for. Once a rogue process has been
    >>> installed, it pretty much has the run of the computer, doesn't it?
    >>> I evaluate browsers, (among other things), on the ability of a trojan
    >>> to automatically get installed without user interaction. The main
    >>> vunerability on a PC is a user who wants to run his/her browser with
    >>> root, administrative or power user privileges. Can't defend against
    >>> that kind of user.
    >>> The account I run my browser (XP) under doesn't permit installs.
    >>> This account can't populate its startup box or run registry key. If
    >>> the trojan can't get installed, it can't intercept keystrokes. On
    >>> my solaris, I run the browser as a user in low privileged groups.
    >>>

    >> Running in any other mode than administrator is, to me, much like
    >> trying to play the piano with a baseball mit on. I often have several
    >> things going on at once, and the browser is only one of them, and the
    >> others often require admin privileges. What works for one often isn't
    >> useful to another. On the other hand, I don't get trojans, viruses,
    >> or other malware because of other operating practices.

    >
    > Ron,
    >
    > I hear that. Here is an interesting idea from Mark Russinovich at
    > Sysinternals:
    >
    > Running as Limited User - the Easy Way
    >
    > (http://www.sysinternals.com/blog/200...-easy-way.html)
    >
    >
    > Quote: An alternative to running as limited user is to instead run only
    > specific Internet-facing applications as a limited user that are at
    > greater risk of compromise, such as IE and Outlook.
    >
    > And from the "just when you thought it could not get any worse" department:
    >
    > Windows Vista Product Editions
    > (http://www.winsupersite.com/showcase...ions_final.asp)
    >
    > With WinXP, the Home Edition limited user is so crippled to be of almost
    > no use for everyday computing. Now, try to figure out which Vista
    > product edition offers what capability for which user.
    >
    > IMO, the problem is, and always will be, the GUI user profiles. These
    > preclude the rapid toggling between admin and limited user accounts.
    > This is in contrast to the *nix superuser (root) account, but then with
    > the superuser account one is usually dealing with the CLI, not a bloated
    > GUI interface.
    >
    > Ron


    I use IE only for Windows Update, and never use Outlook/OE. I also have
    a good firewall program that includes such things as spyware checks
    (database), and content blocking, ad blocking, and various types of
    attack blocking. Then I am behind a router, which is another handy line
    of defense.

  8. Re: is ff immune to SSL Evading Trojans?

    "Ron Hunter" wrote in message
    news:R-OdnSpOxbSpQPvZnZ2dnUVZ_sednZ2d@mozilla.org...
    > Rghytl wrote:
    >> "Todd and Margo Chester" wrote in message
    >> news:Kr6dnetlEuLlFvvZnZ2dnUVZ_s6dnZ2d@mozilla.org. ..
    >>> Hi All,
    >>> I have been reading about SSL Evading Trojans that
    >>> circumvent SSL protections when log into SSL protected
    >>> web sites.
    >>> http://www.infoworld.com/article/06/...html?s=feature
    >>> http://www.infoworld.com/article/06/...html?s=feature
    >>> The article did not mention if this is restricted to IE
    >>> or to all browsers. Is ff immune to SSL Evading Trojans?
    >>> -Todd

    >>
    >> My guess is that the trojan could pick up the keystrokes of any browser
    >> it was designed for. Once a rogue process has been installed, it pretty
    >> much has the run of the computer, doesn't it? I evaluate browsers,
    >> (among other things), on the ability of a trojan to automatically get
    >> installed without user interaction. The main vunerability on a PC is a
    >> user who wants to run his/her browser with root, administrative or power
    >> user privileges. Can't defend against that kind of user.
    >> The account I run my browser (XP) under doesn't permit installs. This
    >> account can't populate its startup box or run registry key. If the
    >> trojan can't get installed, it can't intercept keystrokes. On my
    >> solaris, I run the browser as a user in low privileged groups.
    >> ----
    >>
    >>

    > Running in any other mode than administrator is, to me, much like trying
    > to play the piano with a baseball mit on. I often have several things
    > going on at once, and the browser is only one of them, and the others
    > often require admin privileges. What works for one often isn't useful to
    > another. On the other hand, I don't get trojans, viruses, or other
    > malware because of other operating practices.


    I can understand the frustrations of running as a limited user. I run as
    power user myself for my desktop. Nevertheless, there are techniques to
    reduce the privileges of internet connecting software. The way I use,
    (because at the time I was unaware of the others), is to use 'runas' to run
    the browser, email, etc under a different account. On XP-pro, the password
    of the alternate account can be cached, hence, I've incorporated the
    alternate user into shortcuts, so there is no more effort in day to day use
    then there would be running the application directly from the desktop id. A
    XP-Home user could use 'CPAU'. I use CPAU myself if I want to use a
    well-known account, such as "administrator". I don't cache passwords of
    well know accounts.
    http://www.joeware.net/win/free/tools/cpau.htm
    Another way is to use 'DropMyRights' which starts a process with the
    administrative token stripped from the process. I *think* it will strip a
    PowerUser token as well - I don't use it, but I would if I wasn't using a
    different method. This will work on XP home and Pro.
    http://msdn.microsoft.com/security/s...re11152004.asp
    A third way, available on XP-Pro is to use software restriction policies to
    restrict a process, such as firefox to basic user. This will strip the
    administrative or power user token from the target process.
    http://msdn.microsoft.com/library/en...asp?frame=true

    The disadvantage with this method is that the auto-update function in
    Firefox won't work without changing the setting. With the first two
    methods, all one needs to do is have a separate icon to bring up Firefox in
    administrative mode, and the update function works. (I use the third method
    on software other than browsers.)

    My view of the browser, whether it is IE or Firefox, is that it is too
    complicated to secure completely. I can either strip functionality or
    privileges from the processes. I do both. Also, the plugins, such as
    shockwave, adobe, media player, java and so forth also have to be clear of
    vunerabilities. I love that NoScript plugin that whitelists sites allowed
    to use javascript. But my comfort level requires that no internet
    connecting process runs with Power User or Administrative privileges. One
    way or another, that's what I do.
    -----



  9. Re: is ff immune to SSL Evading Trojans?

    Ron Lopshire wrote:
    > Ron Hunter wrote:
    >
    >> Rghytl wrote:
    >>
    >>> "Todd and Margo Chester" wrote in
    >>> message news:Kr6dnetlEuLlFvvZnZ2dnUVZ_s6dnZ2d@mozilla.org. ..
    >>>
    >>>> Hi All,
    >>>> I have been reading about SSL Evading Trojans that
    >>>> circumvent SSL protections when log into SSL protected
    >>>> web sites.
    >>>> http://www.infoworld.com/article/06/...html?s=feature
    >>>>
    >>>> http://www.infoworld.com/article/06/...html?s=feature
    >>>>
    >>>> The article did not mention if this is restricted to IE
    >>>> or to all browsers. Is ff immune to SSL Evading Trojans?
    >>>
    >>> My guess is that the trojan could pick up the keystrokes of any
    >>> browser it was designed for. Once a rogue process has been
    >>> installed, it pretty much has the run of the computer, doesn't it?
    >>> I evaluate browsers, (among other things), on the ability of a trojan
    >>> to automatically get installed without user interaction. The main
    >>> vunerability on a PC is a user who wants to run his/her browser with
    >>> root, administrative or power user privileges. Can't defend against
    >>> that kind of user.
    >>> The account I run my browser (XP) under doesn't permit installs.
    >>> This account can't populate its startup box or run registry key. If
    >>> the trojan can't get installed, it can't intercept keystrokes. On
    >>> my solaris, I run the browser as a user in low privileged groups.
    >>>

    >> Running in any other mode than administrator is, to me, much like
    >> trying to play the piano with a baseball mit on. I often have several
    >> things going on at once, and the browser is only one of them, and the
    >> others often require admin privileges. What works for one often isn't
    >> useful to another. On the other hand, I don't get trojans, viruses,
    >> or other malware because of other operating practices.

    >
    > Ron,
    >
    > I hear that. Here is an interesting idea from Mark Russinovich at
    > Sysinternals:
    >
    > Running as Limited User - the Easy Way
    >
    > (http://www.sysinternals.com/blog/200...-easy-way.html)
    >
    >
    > Quote: An alternative to running as limited user is to instead run only
    > specific Internet-facing applications as a limited user that are at
    > greater risk of compromise, such as IE and Outlook.
    >
    > And from the "just when you thought it could not get any worse" department:
    >
    > Windows Vista Product Editions
    > (http://www.winsupersite.com/showcase...ions_final.asp)
    >
    > With WinXP, the Home Edition limited user is so crippled to be of almost
    > no use for everyday computing. Now, try to figure out which Vista
    > product edition offers what capability for which user.
    >
    > IMO, the problem is, and always will be, the GUI user profiles. These
    > preclude the rapid toggling between admin and limited user accounts.
    > This is in contrast to the *nix superuser (root) account, but then with
    > the superuser account one is usually dealing with the CLI, not a bloated
    > GUI interface.


    You can, of course, run any (GUI) app you like as root/su from a
    "normal" user login, e. g. from inside KDE.

    BR,
    Gudmund

+ Reply to Thread