1995-09-25 - Re: SSL Man-in-the-middle
Header Data
From: “David J. Bianco” <bianco@itribe.net>
To: Eric Young <eay@mincom.oz.au>
Message Hash: fcb015442738f8cbd98902584228e75fa0f1a80e68d01a923045d31a875b3d8e
Message ID: <199509251247.IAA27297@gatekeeper.itribe.net>
Reply To: <Pine.SOL.3.91.950925090641.7344B-100000@orb>
UTC Datetime: 1995-09-25 17:10:14 UTC
Raw Date: Mon, 25 Sep 95 10:10:14 PDT
Raw message
From: "David J. Bianco" <bianco@itribe.net>
Date: Mon, 25 Sep 95 10:10:14 PDT
To: Eric Young <eay@mincom.oz.au>
Subject: Re: SSL Man-in-the-middle
In-Reply-To: <Pine.SOL.3.91.950925090641.7344B-100000@orb>
Message-ID: <199509251247.IAA27297@gatekeeper.itribe.net>
MIME-Version: 1.0
Content-Type: text/plain
On Sep 25, 9:35, Eric Young sent the following to the NSA's mail archives:
> Subject: Re: SSL Man-in-the-middle
||
|| On Fri, 22 Sep 1995, David J. Bianco wrote:
|| > Has anyone given much thought to the feasability of a
man-in-the-middle
|| > attack against an SSL (or other similar) transaction? To me, the
|| > possibility seems obvious, so I figure it must have been discussed
before,
|| > though I haven't seen it.
|| ....
|| > Since neither the browser nor the server perform any authentication
checks,
|| > neither Bob nor Alice know they are really speaking to Mallet. The
best
|| > Alice can do is check the IP address of the client she's speaking to,
but
||
|| Ah, err, the infamious problem of Netscape Navigator refusing to talk to
|| SSL httpd's because they don't have a certificate issued by Verisign is
|| caused by the client authentication the Server certificate.
|| To get a Verisign signed x509 certificate requires quite a bit of proof
|| that your company is who they claim they are. So server authentication
|| is used.
||
Not so. VeriSign can only vouch for identity, not intention. I can fork
out $300 (at last count) and get a signed certificate for my fake company.
If the stakes are high enough, I can incorporate fairly cheaply, get a
business license, and then I'd have a real company I could submit as.
Or, if I'm lazy, don't have enough money, or unwilling to leave a paper
trail, I'd break into someone's weakly secured server and steal their
certificate.
In either case, I've obtained a "legitimate" signed certificate for
illegitimate purposes. That's why I don't think just verifying the
signature on the certificate is nearly enough.
--
==========================================================================
David J. Bianco | Web Wonders, Online Oddities, Cool Stuff
iTribe, Inc. | Phone: (804) 446-9060 Fax: (804) 446-9061
Suite 1700, World Trade Center | email: <bianco@itribe.net>
Norfolk, VA 23510 | URL : http://www.itribe.net/~bianco/
Thread
Return to September 1995
- Return to ““David J. Bianco” <bianco@itribe.net>”
- Return to “Eric Young <eay@mincom.oz.au>”
- Return to “Jeff Barber <jeffb@sware.com>”
- Return to “jsw@neon.netscape.com (Jeff Weinstein)”
Return to “Simon Spero <ses@tipper.oit.unc.edu>”
- 1995-09-22 (Fri, 22 Sep 95 07:10:59 PDT) - SSL Man-in-the-middle - “David J. Bianco” <bianco@itribe.net>
- 1995-09-23 (Sat, 23 Sep 95 10:41:57 PDT) - Re: SSL Man-in-the-middle - “David J. Bianco” <bianco@itribe.net>
- 1995-09-25 (Sun, 24 Sep 95 17:47:19 PDT) - Re: SSL Man-in-the-middle - Eric Young <eay@mincom.oz.au>
- 1995-09-25 (Mon, 25 Sep 95 10:10:14 PDT) - Re: SSL Man-in-the-middle - “David J. Bianco” <bianco@itribe.net>
- 1995-09-25 (Mon, 25 Sep 95 12:53:39 PDT) - Re: SSL Man-in-the-middle - Simon Spero <ses@tipper.oit.unc.edu>
- 1995-09-25 (Mon, 25 Sep 95 14:13:36 PDT) - Re: SSL Man-in-the-middle - Jeff Barber <jeffb@sware.com>
- 1995-09-25 (Mon, 25 Sep 95 15:46:44 PDT) - Re: SSL Man-in-the-middle - jsw@neon.netscape.com (Jeff Weinstein)
- 1995-09-26 (Tue, 26 Sep 95 06:32:16 PDT) - Re: SSL Man-in-the-middle - Simon Spero <ses@tipper.oit.unc.edu>
- 1995-09-25 (Mon, 25 Sep 95 12:53:39 PDT) - Re: SSL Man-in-the-middle - Simon Spero <ses@tipper.oit.unc.edu>
- 1995-09-25 (Mon, 25 Sep 95 10:10:14 PDT) - Re: SSL Man-in-the-middle - “David J. Bianco” <bianco@itribe.net>