[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL Man-in-the-middle
On Sep 25, 9:35, Eric Young sent the following to the NSA's mail archives:
> Subject: Re: SSL Man-in-the-middle
||
|| On Fri, 22 Sep 1995, David J. Bianco wrote:
|| > Has anyone given much thought to the feasability of a
man-in-the-middle
|| > attack against an SSL (or other similar) transaction? To me, the
|| > possibility seems obvious, so I figure it must have been discussed
before,
|| > though I haven't seen it.
|| ....
|| > Since neither the browser nor the server perform any authentication
checks,
|| > neither Bob nor Alice know they are really speaking to Mallet. The
best
|| > Alice can do is check the IP address of the client she's speaking to,
but
||
|| Ah, err, the infamious problem of Netscape Navigator refusing to talk to
|| SSL httpd's because they don't have a certificate issued by Verisign is
|| caused by the client authentication the Server certificate.
|| To get a Verisign signed x509 certificate requires quite a bit of proof
|| that your company is who they claim they are. So server authentication
|| is used.
||
Not so. VeriSign can only vouch for identity, not intention. I can fork
out $300 (at last count) and get a signed certificate for my fake company.
If the stakes are high enough, I can incorporate fairly cheaply, get a
business license, and then I'd have a real company I could submit as.
Or, if I'm lazy, don't have enough money, or unwilling to leave a paper
trail, I'd break into someone's weakly secured server and steal their
certificate.
In either case, I've obtained a "legitimate" signed certificate for
illegitimate purposes. That's why I don't think just verifying the
signature on the certificate is nearly enough.
--
==========================================================================
David J. Bianco | Web Wonders, Online Oddities, Cool Stuff
iTribe, Inc. | Phone: (804) 446-9060 Fax: (804) 446-9061
Suite 1700, World Trade Center | email: <[email protected]>
Norfolk, VA 23510 | URL : http://www.itribe.net/~bianco/