[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSL Man-in-the-middle

To: Jeff Weinstein <[email protected]>
Subject: Re: SSL Man-in-the-middle
From: Simon Spero <[email protected]>
Date: Mon, 25 Sep 1995 20:25:20 -0400 (EDT)
Cc: [email protected]
In-Reply-To: <[email protected]>
Sender: [email protected]

Jeff - there are two ways to get the document information right (or wrong).

The first approach is to use redirects to point the client back at the 
original server once you've grabbed whatever info you want for the 
request. Redirects from https -> https don't trigger a warning box. You 
may need to rewrite the URL slightly to prevent loop detection (stick a . 
at the end of the hostname, or add a port, etc. 

The second approach is to only intercept requests for inline images. 
These don't affect the document information window, and give you full 
access to the whole request, which may have user authentication information 
associated with it, in the URL or in  header fields. Image requess can be 
identified reliably through simple traffic analysis.

Simon

Contract with America - Explained!			|Phone: +44-81-500-3000
Contract: verb						|Mail: [email protected]
1) To shrink or reduce in size - the economy contracted +-----------------------
2) To become infected -My baby contracted pneumonia when they stopped my welfare

References:
- Re: SSL Man-in-the-middle
  - From: [email protected] (Jeff Weinstein)

Prev by Date: Primality verification needed
Next by Date: Fax Number List
Prev by thread: Re: SSL Man-in-the-middle
Next by thread: Re: Exchange random numbers (was: Re: netscape's response)
Index(es):
- Date
- Thread