Ian G wrote:
My click indicated that I was willing to view the site without
signature and encryption, and the browser should remind me of that
decision.
Anyone agree? Disagree?
Jan got a signed and
encrypted connection to the .co.uk. It just
wasn't signed by the .co.uk, instead it was
signed by the .com. In this case, we might
as well assume that they are totally distinct,
so it could have been PhishMarket.com.
So on that analysis the padlock is wrong.
Hmmm... so if this *was* an MITM, the
fact that Jan is trying to connect to the
.co.uk, and have been fully authenticated
as talking to the .com would indicate that
the attacker has simply used any good cert
that has been signed by some CA. And then
he's set up a separate connection from his
middle site on to the valid site.
So, yes, this is (indicative of) a full blooded,
honest MITM. Using a valid cert signed by
a CA. And the padlock is wrong.
( Curiously, though, what happens if there
is a redirect fed to the browser in an MITM,
that takes it to a different site with the right
cert according to the redirected URL? )
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
