lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 01 Oct 2015 22:33:03 -0500
From: Mark Felder <feld@...d.me>
To: fulldisclosure@...lists.org
Subject: [FD] Charter Spectrum Business HTTP MITM

Hello,

You probably don't need to be told otherwise, but do not trust Charter
(or any ISP) with your HTTP traffic even if you're paying for a business
connection and expect internet without tampering or analysis. I recently
started receiving redirects to a Terms & Conditions page on IPv4 HTTP
traffic. My tests indicate they don't do it with IPv6 through their 6rd
Border Relay and of course they can't do it with HTTPS. Surprisingly
most of my traffic avoids IPv4 HTTP so I am not sure how long this has
been going on.

They insert RST packets and then redirect you to a page to present you
new T&C they want you to accept. The URL looks like this:

http://tandc-browsermessaging.charter.net/?sub=ctgcw67P4wwQS1UWxrkXpw%7CzDWlBWA5zOMe_UlM2CDTNrvyOKhDVmmHD7FsEYdrkAGchiHqZj0U-x7_udYQ1hOM3hHa-exjfm0I0aU0rNGXvOwNLaMhjs6DcqDCqHFaaNPd_oJPhAW98gaC05D_bhpF-mss5gQIkstxEUxEOpezjQ&originalURL=http%3A//seclists.org/fulldisclosure/&ack=24.217.29.129

I've attached a packet dump of this in action.


Stay safe

Download attachment "charter.pcapng" of type "application/octet-stream" (100140 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ