From: Eric Young <eay@mincom.oz.au>
Date: Sun, 24 Sep 95 17:47:19 PDT
To: "David J. Bianco" <bianco@itribe.net>
Subject: Re: SSL Man-in-the-middle
In-Reply-To: <199509221407.KAA23176@gatekeeper.itribe.net>
Message-ID: <Pine.SOL.3.91.950925090641.7344B-100000@orb>
MIME-Version: 1.0
Content-Type: text/plain



On Fri, 22 Sep 1995, David J. Bianco wrote:
> Has anyone given much thought to the feasability of a man-in-the-middle
> attack against an SSL (or other similar) transaction?  To me, the
> possibility seems obvious, so I figure it must have been discussed before,
> though I haven't seen it.
....
> Since neither the browser nor the server perform any authentication checks,
> neither Bob nor Alice know they are really speaking to Mallet.  The best
> Alice can do is check the IP address of the client she's speaking to, but

Ah, err, the infamious problem of Netscape Navigator refusing to talk to 
SSL httpd's because they don't have a certificate issued by Verisign is 
caused by the client authentication the Server certificate.
To get a Verisign signed x509 certificate requires quite a bit of proof 
that your company is who they claim they are.  So server authentication 
is used.

eric
--
Eric Young                  | Signature removed since it was generating
AARNet: eay@mincom.oz.au    | more followups than the message contents :-)