Also on AOL
- Autos
- Technology
- Lifestyle
- Gaming
- Finance
- Entertainment on AOL
- Lifestyle on AOL
- Sports on AOL
- Travel on AOL
- More on AOL
Featured Galleries
Joystiq
© 2013 AOL Inc. All rights Reserved. Privacy Policy | Terms of Use | Trademarks | AOL A-Z HELP | About Our Ads
Reader Comments (Page 1 of 1)
2-28-2010 @ 1:17PM
Glasken said...
The solution to this is relatively simple, and one that has been used by organizations that use RSA key tokens (basically the same as an Authenticator) to prevent man in the middle attacks:
Encrypt the login session.
Blizzard would need to change the client so that initial setup of the communication channel occurred by having the client connect to the login servers in order to get the username/password screen, but in doing so it would prevent this type of attack - because as soon as you hit enter, the data is encrypted and sent to Blizzard. If the article is correct on how this particular attack works, they are using hooks into the login screen of the WoW client in order to capture the data. If those hooks no longer exists, because that screen is no longer part of the client, then this should prevent the attack. This would require that Blizzard implement some decent encryption - SSL is a start, but there are other solutions.
Reply
2-28-2010 @ 2:07PM
Morcego said...
Encrypting the login session doesn't not protect against man-in-the-middle attacks. Sorry.
Yes, it is still better than plain text data, without a doubt. But thinking this would solve the problem is just plain wrong.
Actually, there is more than one way to compromise that kind of connection. Session Hijacking is another method that might prove to be a valid attack.
In a nutshell, once the user's computer gets compromised, there is nothing Blizzard can do to assure the WoW account won't be also.
2-28-2010 @ 7:35PM
DarkWalker said...
The cracker just need to use a common keylogger to get the code, so this would offer almost no extra protection in this specific case.