On Dec 15, 6:46 pm, Sripathi Krishnan <sripathi.krish...@gmail.com> wrote: > Explain me how Mallory can put in a fake/invalid/duplicate/whatever SSL > certificate when Alice and Bob are communicating.
Mallory can start a C.A. business, like Go Daddy does. It would get its certificate from Verizon and then crafts its own certificates, including a fake one that would be accepted by any browser. If Mallory is smart, he/she teams up with a friend - Mark. Mallory creates the false certificate for Mark and if Mark is caught, they agree will take the blame. Of course, some browsers display warning when chains of certificates are involved, but no error. If Mark/Mallory have access to the communication between and Alice and Bob, then can substitute the false certificate. I am not saying it is easy to achieve, but it is very possible. Sure TLS/SSL makes Mallory/Mark's life harder, but not impossible. There is also another possible attack: registering a weak public key in a certificate. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
