Just want to point out tha I didn't write that particular passage. I noted
in the original email that the passage was extracted from a web site and
included in the mail message to illustrate the concept of a man in the
middle attack.
But to answer the question, I think the point that is being made in the
passage is how do you know that you can trust the Certificate Authority ?
You must blindly trust that if the CA signed a certificate that it is
valid, or that if traffic is from the CA that it is valid.
But what is to say that:
- Joe Evil didn't manage to corrupt the data in the web browser at the
site where it was downloaded ? It wouldn't be the first time that a
supposedly "good" source was corrupt.
- The CA has not been compromised ? I would argue that with the
majority of security issues being related to personnel internal to an
organization, that this is not outside the realm of possibility
- Joe Evil managed to get himself set up as a CA ?
I guess the main points here are "can you trust the CA ?" and "how do you
definitively *know* you can trust the CA ?"
===================================================================
Larry Chin {[EMAIL PROTECTED]} Technical Specialist - ISC
Sprint Canada 2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693 Suite 200, North York, Ontario
Fax: 416.498.3507 M2J 5E6
===================================================================
On Wed, 7 Jul 1999, Mikael Olsson wrote:
>
> Larry Chin wrote:
> >
> > [Snip]
> > This network attack is known as the Man In The Middle Attack, and is made
> > possible because Public Key encryption relies upon users implicitly
> > trusting whatever message they receive from a system claiming to be the
> > Certificate Authority. There is no method to prove the identity of the
> > Certificate Authority.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > This potential security risk is also the reason why many secure sites,
> > such as military sites, will not use Public Key encryption.
> >
>
> Hmm? Pardon me if I'm entirely wrong, but isn't that what CA
> certificates are all about?
> In the case of web browsers, they come pre-installed with
> a number of public keys related to a number of well-known
> CA's, and may be used to verify the authenticity of what
> is received from the CA.
>
> ?
>
> I'm not an expert in this field, but this is what I
> (have been lead to?) believe.
>
> Regards,
> Mike
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
