[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL Man-in-the-middle

To: Eric Young <[email protected]>
Subject: Re: SSL Man-in-the-middle
From: "David J. Bianco" <[email protected]>
Date: Mon, 25 Sep 1995 08:51:05 -0400
Cc: [email protected]
In-Reply-To: Eric Young <[email protected]> "Re: SSL Man-in-the-middle" (Sep 25, 9:35)
References: <Pine.SOL.3.91.950925090641.7344B-100000@orb>
Sender: [email protected]

On Sep 25,  9:35, Eric Young sent the following to the NSA's mail archives:
> Subject: Re: SSL Man-in-the-middle
||
|| On Fri, 22 Sep 1995, David J. Bianco wrote:
|| > Has anyone given much thought to the feasability of a
man-in-the-middle
|| > attack against an SSL (or other similar) transaction?  To me, the
|| > possibility seems obvious, so I figure it must have been discussed
before,
|| > though I haven't seen it.
|| ....
|| > Since neither the browser nor the server perform any authentication
checks,
|| > neither Bob nor Alice know they are really speaking to Mallet.  The
best
|| > Alice can do is check the IP address of the client she's speaking to,
but
||
|| Ah, err, the infamious problem of Netscape Navigator refusing to talk to
|| SSL httpd's because they don't have a certificate issued by Verisign is
|| caused by the client authentication the Server certificate.
|| To get a Verisign signed x509 certificate requires quite a bit of proof
|| that your company is who they claim they are.  So server authentication
|| is used.
||

Not so.  VeriSign can only vouch for identity, not intention.  I can fork
out $300 (at last count) and get a signed certificate for my fake company.
 If the stakes are high enough, I can incorporate fairly cheaply, get a
business license, and then I'd have a real company I could submit as.

Or, if I'm lazy, don't have enough money, or unwilling to leave a paper
trail, I'd break into someone's weakly secured server and steal their
certificate.

In either case, I've obtained a "legitimate" signed certificate for
illegitimate purposes.  That's why I don't think just verifying the
signature on the certificate is nearly enough.

--
==========================================================================
David J. Bianco			| Web Wonders, Online Oddities, Cool Stuff
iTribe, Inc.			| Phone: (804) 446-9060 Fax: (804) 446-9061
Suite 1700, World Trade Center	| email: <[email protected]>
Norfolk, VA 23510		| URL  : http://www.itribe.net/~bianco/

Follow-Ups:
- Re: SSL Man-in-the-middle
  - From: Simon Spero <[email protected]>

References:
- Re: SSL Man-in-the-middle
  - From: Eric Young <[email protected]>

Prev by Date: Re: Netscape "random" number seed generator code available
Next by Date: Re: `Random' seed.
Prev by thread: Re: SSL Man-in-the-middle
Next by thread: Re: SSL Man-in-the-middle
Index(es):
- Date
- Thread