How dangerous is it to translate IPs directly via hosts in Windows

2

Sorry for the inconvenience, as English is not my native.

I use hosts to access some websites as DNS is polluted.

My question is, take www.google.com as an example.

If I am successfully social engineered by an attacker, and changes the translation in hosts into a phishing website.

If I use http, then I am completely screwed, right?

If I use https, then the browser will give a warning, if my PC is not compromised.

For the https case, is it possible that the phishing website just pass a certificate from www.google.com to me to prove it is genuine?

user69835

Posted 2011-07-25T10:24:43.600

Reputation:

Are you the IT support guy maintaining your bank's website? cheated into assigning the domain to the IP of a phishing website? Makes no sense. And what do you mean "Assign IPs directly via hosts in windows"? All that normally means is manually or via DHCP. your question doesn't make much sense. – barlop – 2011-07-25T11:08:25.570

If you mean your hosts file got used, that's not called assigning IPs, it's translating. Your question is garbage. Look at your hosts file make sure it's ok. – barlop – 2011-07-25T11:09:24.900

you should try to reword your question. you know what you mean. – barlop – 2011-07-25T11:09:56.350

you did a good editing job there – barlop – 2011-07-25T13:50:35.523

Answers

4

Consider the following statements:

  • All certificate authorities trusted by your web browser refuse to issue a certificate for examplebank.com to the attacker without proof of domain ownership.

  • The signing keys of all authorities are securely stored and an unauthorized person cannot issue a certificate to themselves. (See recent Comodo break-in.)

  • Your web browser correctly checks if the server's SSL certificate is issued by a valid CA, not revoked, valid for use by servers, and issued for the examplebank.com domain.

  • There is no active malware or a browser bug that causes such checks to be bypassed.

  • You always open https://examplebank.com, requesting SSL explicitly instead of relying for the website to redirect you.

  • You actually read the SSL error messages instead of blindly clicking Ignore when you open the website.

If all of the above are true, HTTPS will warn you that you tried to connect to a fake website. However, HTTPS cannot bypass lower-level redirections (such as spoofing examplebank.com by DNS or /etc/hosts), so if you ignore the warnings, your data will be going to the attacker, not to the real bank.

To conclude, yes, it's dangerous.

In response to the edited question:

  1. If you use plain HTTP, you're screwed.

  2. If you use HTTPS, you will receive a big red warning (see first part of the answer).

  3. Every "certificate" has a RSA (sometimes DSA, ECDSA) key pair. The public key of the pair is part of the certificate, while the private key is locked away in the webserver and never sent over the network. Both keys are needed to successfully complete the TLS/SSL handshake.

    If the attacker presents a certificate, but does not have the associated private key, they will not be able to decrypt any traffic that goes over TLS. Wikipedia has a description of the TLS handshake.

user1686

Posted 2011-07-25T10:24:43.600

Reputation: 283 655

Thank you. You almost answered my question. But as requested by the comments, I edited my question. Would you kindly have a look, and answer the edited questions. – None – 2011-07-25T11:22:37.647

@Dante: See update. – user1686 – 2011-07-25T11:51:39.257

4

SSL (HTTPS) will only protect you as long as your client is not compromised.

If someone manages to modify /etc/hosts, he can also manage to modify your browser to not perform the SSL validation of the server you're connecting to, or he can add his fraud server's fake certificate into your system's database of trusted certificates.

If however your client is not compromised and someone manages to redirect your browser to a different IP address (e.g. some kind of DNS-related hack, or cheating you to modify /etc/hosts without anything else), the browser will warn you that something's wrong with the server's certificate, and, provided you don't ignore the warning and proceed, you are safe.

On your second question:

For the https case, is it possible that the phishing website just pass a certificate from www.google.com to me to prove it is genuine?

No, that is not possible, unless the attacker managed to obtain the server's private key (e.g. by hacking the server itself). Even if a fraud server "passed on" the server's certificate, he will not be able to prove its identity to the client if it does not possess that private key. If he attempted to do that, he will fail and the browser will show a warning.

Ambroz Bizjak

Posted 2011-07-25T10:24:43.600

Reputation: 4 265

Thank you. You answer is also good. But as requested by the comments, I edited my question. Would you kindly have a look, and answer the last question? – None – 2011-07-25T11:23:03.497

0

Dante, your edits are welcomed. But the answer remains. If the hosts file is compromised, your whole security can be compromised concerning those domains that have been socially engineered on that file.

HTTPS is the exception and will offer some form of protection due to the certificate system that will let you know the website you are viewing may not be what it seems.

A Dwarf

Posted 2011-07-25T10:24:43.600

Reputation: 17 756

So no matter what they do, as long as only IP is wrong, HTTPS will cause a warning, right? – None – 2011-07-25T11:42:53.563

To the extent of my knowledge, yes. You should accept any of the two other answers. I only answered here because the question comment area has been polluted by other remarks. – A Dwarf – 2011-07-25T11:44:54.093

Wrong. HTTPS only protects against a "man-in-the-middle" attack. That's to say, an attacker that doesn't alter either your web browser or the web server, but one that does control some part of the network in the middle (e.g. the WiFi). If the Hosts file is compromised, the attacker has succesfully breached the client security, and no longer can be classed as man-in-the-middle. He can equally well replace your browser with one that skips all HTTPS. checks – MSalters – 2011-07-26T10:29:25.277

Asked: 2011-07-25T10:24:43.600

Viewed: 212 times

Active: 2011-07-25T11:51:23.797