[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BoS: Can you trust your ISP ??

Any sort of Certificate authority based protocol is dumb.  It's like RSAC
charging 500 bucks for rating a web site.  Nothing anyone does on the web is
important enough to encrypt.  

Anyway, as far as SSL goes...we've all heard about how proactive Netscape is
in preventing key comprimise.  

Its too late.

Ben Camp

At 06:49 PM 9/9/96 -0700, Eric Murray wrote:
>I~nigo Gonzalez writes:
>> Hello, 
>>    I'm thinking about how can I get rid off this kind of attack *before* it 
>> happens. Can you please send me your comments about this? I don't know so 
>> much about the how SSL works, but I think this is something that can 
>> happen...
>[classic Man-in-the-Middle attack]
>What you described is the Man In The Middle attack, often
>abbreviated on these lists as MITM.  The fact that there's
>an abbreviation for it should indicate to you how often
>it is discussed.  However it's also one of the first
>problems (besides the basic encryption) that protocol
>designers think of.
>It's been taken care of in SSL3- the server's certificate
>must be signed by a CA that the client trusts.  Unless
>the digital signature can be spoofed, and it probably
>can't be, the client can be certain that the server certificate it got
>is really from the server that it claims to be from.
>Assuming that RSA still can't be broken, the client can be sure
>that the pre-master-key material that it sends to the server
>(and which is the basis for the symmetric crypto session keys)
>will not be compromised.
>If you grab a copy of the SSL3 spec (from netscape's web site)
>and read the appendicies there's more good stuff about possible
>attacks and what's been done to counter them.
>Eric Murray  [email protected]  [email protected]  http://www.lne.com/ericm
>Principal, LNE Consulting: SSL, crypto applications, Internet security.
>PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03  92 E8 AC E6 7E 27 29 AF