[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL Man-in-the-middle
On Fri, 22 Sep 1995, David J. Bianco wrote:
> Has anyone given much thought to the feasability of a man-in-the-middle
> attack against an SSL (or other similar) transaction? To me, the
> possibility seems obvious, so I figure it must have been discussed before,
> though I haven't seen it.
....
> Since neither the browser nor the server perform any authentication checks,
> neither Bob nor Alice know they are really speaking to Mallet. The best
> Alice can do is check the IP address of the client she's speaking to, but
Ah, err, the infamious problem of Netscape Navigator refusing to talk to
SSL httpd's because they don't have a certificate issued by Verisign is
caused by the client authentication the Server certificate.
To get a Verisign signed x509 certificate requires quite a bit of proof
that your company is who they claim they are. So server authentication
is used.
eric
--
Eric Young | Signature removed since it was generating
AARNet: [email protected] | more followups than the message contents :-)