hack.lu: MITMing a room full of security people

In Pwned @ hack.lu, Didier Stevens has a nice screenshot of what a lot of people saw at the conference yesterday. Not trusting the crowd in the room, I had configured my Web browser to go through an SSH tunnel elsewhere, so the software that was affected for me was fetchmail — which I had fortunately configured paranoid enough that it noticed the wacky certificate that was “shown” by my personal server on port 995, pop3-s, and simply died with a nice error message.So, what happened? As I said in a spontaneous lightning talk after that session, my diagnosis was that somebody was running a man-in-the-middle attack on a room full of security people. The tool they were using rewrote the TLS certificates that were shown by servers, but tried to keep the human-readable information in the certificate intact. (As Benny K notes in a comment, “the certificate seemed fine”.) The tool used was most likely ettercap.Incidentally, I don’t mind that this prank was played on all of us. Attending a hacking conference means you’re fair game to some extent — there will be packet sniffing, and there will be active attacks. As long as no lasting damage is caused, and as long as the attacks don’t interfere with the conference talks, that’s fine. What I found disappointing, though, is that the responsible party didn’t have the stomach to give a lightning talk about the results gathered. For instance, I’d love to know how many of the (security-minded!) people in the room actually clicked past the errors that their browsers and mail clients showed. That would be first-class input for the Web Security Context Working Group. (Anecdotal evidence suggests that a few people got rather nervous after they heard the lightning talk…)Now, for the details…