[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL Man-in-the-middle
I can confirm that, at least up to 1.2, netscape navigator does not do any
validation beyond checking the signer of the certificate.
Exactly - the trust model used in Navigator 1.1N requires you to trust
every single owner of a valid certificate. Getting hold of any key is
vastly easier than having to obtain a specific key; in the worst case,
you just buy your own - SSL exchanges are repudiable, and a few simple
tricks can make sure you cerificiate doesn't show up in the "Document
Information" dialog box. Or, since there are is CRLing, accidentaly lose
you private key, notify verisni and get a revocation.
To detect the attack without using either a modified client, or a nice
proxy that checks for you, you must do packet-tracing on all SSL
connections, regenerate the exchange, and then review each exchange to
look for suspicious certificates.