No Tim, I am not missing your point. It is me who is not being clear about what I am asking hence why everyone is telling me one thing when I really want to hear something else. I want to protect the authentication data within the SSL session because I do not trust the HTTP BASIC auth and I most certainly do not trust the end users to always do whats right. I want a technology to protect the data, not a user who can be social engineered into doing something wrong.
Tim wrote: >> As suspected... so I am correct; and it is a security threat. I can >> compromise a network, arp poison it, MiTM, access the firewall, >> distributed metastasis, presto... owned... >> > > You are completely missing the point. Did you read my first response? > > If you properly use your PKI, then doing a simple MitM attack, as you > describe, is not possible without bells and whistles going off in your > browser. > > There are plenty of SSL & PKI tutorials online. I suggest you read > some. > > t > -- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/