[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL Man-in-the-middle

To: "David J. Bianco" <[email protected]>
Subject: Re: SSL Man-in-the-middle
From: Simon Spero <[email protected]>
Date: Mon, 25 Sep 1995 12:55:25 -0700 (PDT)
Cc: Eric Young <[email protected]>, [email protected]
In-Reply-To: <[email protected]>
Sender: [email protected]

I can confirm that, at least up to 1.2, netscape navigator does not do any 
validation beyond checking the signer of the certificate. 

Exactly - the trust model used in Navigator 1.1N requires you to trust 
every single owner of a valid certificate. Getting hold of any key is 
vastly easier than having to obtain a specific key; in the worst case, 
you just buy your own - SSL exchanges are repudiable, and a few simple 
tricks can make sure you cerificiate doesn't show up in the "Document 
Information" dialog box. Or, since there are is CRLing, accidentaly lose 
you private key, notify verisni and get a revocation. 

To detect the attack without using either a modified client, or a nice
proxy that checks for you, you must do packet-tracing on all SSL
connections, regenerate the exchange, and then review each exchange to
look for suspicious certificates.

Follow-Ups:
- Re: SSL Man-in-the-middle
  - From: Jeff Barber <[email protected]>
- Re: SSL Man-in-the-middle
  - From: [email protected] (Jeff Weinstein)

References:
- Re: SSL Man-in-the-middle
  - From: "David J. Bianco" <[email protected]>

Prev by Date: PM's Netscape rant
Next by Date: Re: netscape bug
Prev by thread: Re: SSL Man-in-the-middle
Next by thread: Re: SSL Man-in-the-middle
Index(es):
- Date
- Thread