Dnia 22.10.2023 o godz. 12:59:18 Matt Corallo via mailop pisze: > SSL certificates do not, and have never, "protected against MiTM". > The certificate authority trust model can best be summarized as > "someone else's DNS resolver and connection", it is not a statement > of who actually owns the domain or what server is actually supposed > to be on the other end.
There are various "tiers" of SSL certificates. The "regular" certificates only confirm that you are actually connecting to the domain you wanted to connect to, ie. you wanted to connect to www.example.com, and the certificate confirms that the server is actually www.example.com. But the "extended validation" certificates (which were once - when they were introduced - a big thing, and browsers even signalled a connection to a site with EV certificate with a different URL bar color than to a regular HTTPS site) require the entity requesting a certificate to provide to the CA some official documents confirming that they actually are who they claim to be. When you click on the padlock icon in browser (at least in Firefox) while connected to a site with EV certificate, it shows you an actual company name the certificate was issued for, while for "regular" certificates it shows you only "Connection secure". Of course, this still doesn't protect against "lawful interception" but does protect against a random MiTM attack, as (at least we assume so) a random attacker can not obtain an EV certificate belonging to someone else. However, all this discussion is hardly related to email, as - as many have noted - there's hardly any certificate checking at all between MTAs. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop