> Not quite sure where I would have lost you at. MiTM... SSL... > fake certs... no prompts...
Right there between "fake certs" and "no prompts"? In this thread, you've said two things: 1. You can trick users into visiting your SSL site instead of someone else's, and they'll click through the "wrong hostname" warning. 2. You can trick users into visiting your SSL site instead of someone else's, and they won't receive a "wrong hostname" warning. The lack of said warning would indicate that you've presented them with a valid, signed certificate (or a fake certificate that will pass inspection against the root certificate store of the client) that will correspond to the hostname that the user is actually trying to reach, and will therefore not generate a security warning. Now (1) goes without saying. I'm ok with that. I'm aware of the limitations of relying on users to do the secure thing. But (2) is the sticking point for me. I'm looking for proof of that. > It sure seemed to me that that was in fact what you thought > when it came to this particular type of attack. > > Ps. I never mentioned a proxy at any point. I simply said "any idiot" can set up an SSL proxy. I wasn't referring to you specifically. But a man-in-the-middle attack is, by nature, a proxy - it accepts requests from a client, forwards them to a server, then in turn forwards the response from that server back to the client. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255298 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
