OMG... I now know, or think I know, what you are talking about, and I am
an idiot for not realizing it sooner. (should have realized it when you
said "end point")
The client exchanges keys and requests, while the proxy pretends to be
the server in question, and the proxy pretends to be the client sending
and receiving data to and from the real server; thus, enabling the man
in the middle attack.
Only one question remains... what if the server and client will only
accept the use of known certificates?
Anthony Pace wrote:
Trying to think a little clearly here.
From what you are saying, does FF3 not use its own implementation of
ssl, and connects to the proxy first, where the open text is sent to
the proxy, and the proxy is responsible for encrypting the data? If
this is the case, then it solves most of my problems; however, I can
only think of a few possible uses for this: custom network
environments to increase available bandwidth; or to use different
encryption methods for proprietary encrypted client server communication.
Now that I am thinking clearly, is this the case? and if so, thank you
very much for the suggestion.
Anthony Pace wrote:
I need to know; so if you have a doc that shows I am wrong about how
FF3 encrypts the data, then, with all due respect and a hallelujah,
it would be appreciated.
Anthony Pace wrote:
This is for a man in the middle attack where the attacker I
theoretically wouldn't know the keys that the client and the server
are exchanging.
A proxy would only be able to monitor the stream, but it would not
be able to decypher the data unless the handshake was faulty or the
keys were small enough to break; however, if you know different, and
I really mean it, if my logic is screwed and I need to know, please
tell me.
Thanks,
Anthony
Dave Watts wrote:
I know I could create a proxy and run a filter on each request;
yet, this
would not allow me to modify the request before FF3 encrypts it.
Yes it will. The proxy would serve as the SSL endpoint. Paros proxy
does this quite easily, and there's plenty of documentation out there
on how to use it, last I looked.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
