From: Ben Camp <benc@geocel.com>
To: Eric Murray <nexus@adv.es (I~nigo Gonzalez)
Message Hash: 4eb21f01902173418893853628d046dc8978a4dcb379854a5de90cc5755fd25c
Message ID: <2.2.32.19960910063040.006e5128@lithium>
Reply To: N/A
UTC Datetime: 1996-09-10 09:05:55 UTC
Raw Date: Tue, 10 Sep 1996 17:05:55 +0800
From: Ben Camp <benc@geocel.com>
Date: Tue, 10 Sep 1996 17:05:55 +0800
To: Eric Murray <nexus@adv.es (I~nigo Gonzalez)
Subject: Re: BoS: Can you trust your ISP ??
Message-ID: <2.2.32.19960910063040.006e5128@lithium>
MIME-Version: 1.0
Content-Type: text/plain
Any sort of Certificate authority based protocol is dumb. It's like RSAC
charging 500 bucks for rating a web site. Nothing anyone does on the web is
important enough to encrypt.
Anyway, as far as SSL goes...we've all heard about how proactive Netscape is
in preventing key comprimise.
Its too late.
Ben Camp
At 06:49 PM 9/9/96 -0700, Eric Murray wrote:
>I~nigo Gonzalez writes:
>>
>> Hello,
>> I'm thinking about how can I get rid off this kind of attack *before* it
>> happens. Can you please send me your comments about this? I don't know so
>> much about the how SSL works, but I think this is something that can
>> happen...
>
>[classic Man-in-the-Middle attack]
>
>
>What you described is the Man In The Middle attack, often
>abbreviated on these lists as MITM. The fact that there's
>an abbreviation for it should indicate to you how often
>it is discussed. However it's also one of the first
>problems (besides the basic encryption) that protocol
>designers think of.
>
>It's been taken care of in SSL3- the server's certificate
>must be signed by a CA that the client trusts. Unless
>the digital signature can be spoofed, and it probably
>can't be, the client can be certain that the server certificate it got
>is really from the server that it claims to be from.
>
>Assuming that RSA still can't be broken, the client can be sure
>that the pre-master-key material that it sends to the server
>(and which is the basis for the symmetric crypto session keys)
>will not be compromised.
>
>
>If you grab a copy of the SSL3 spec (from netscape's web site)
>and read the appendicies there's more good stuff about possible
>attacks and what's been done to counter them.
>
>
>
>
>--
>Eric Murray ericm@lne.com ericm@motorcycle.com http://www.lne.com/ericm
>Principal, LNE Consulting: SSL, crypto applications, Internet security.
>PGP keyid:E03F65E5 fingerprint:50 B0 A2 4C 7D 86 FC 03 92 E8 AC E6 7E 27 29 AF
>
>
>
Return to September 1996
Return to “Ben Cox <cox@transarc.com>”