Michael Sierchio wrote:
> Are you or are you not the same David Schwartz who claimed that SSLv3 is
> vulnerable to MITM? If so, what have you learned since then?
If a browser has a maliciously-included root certificate placed there
by an attacker and is using a SOCKS proxy also controlled by an attacker, is it
vulnerable to a MITM attack? Is there anything wrong with its SSLv3
implementation? The correct answers are "yes, it's vulnerable to a MITM attack"
and "no, it's still doing SSLv3 exactly right".
SSLv3's protection against a MITM attack in the case of my browser
connecting to https://www.amazon.com relies on no MITM having a certificate
that my browser will accept as vaild for https://www.amazon.com. (Otherwise, he
can successfully interpose himself in the SSL connection and decrypt all the
data passed and re-encrypt it for the other end.)
SSLv3 itself cannot assure me of the nonexistence of an attacker with
such a certificate. Yet that nonexistence is part of my assurance that I'm
immune to MITM attacks.
If you're talking about this post:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg32016.html
The key excerpt from that post is this:
"The MITM can run separate SSL sessions to both the server and the
client
and proxy the plaintext between the two connections. That's well within the
scope of what a MITM can do.
SSLv3 only provides protection against a MITM attack if one of two
things
is the case:
1) The end that cares about authentication (the client for HTTPS)
compares
the name in the certificate against the name of the server it wants to talk
to, OR
2) Only trusted parties have access to certificates signed by any CA the
end that cares about authentication trusts.
The Internet security model employs option 1. Without it, there would
be no
protection whatsoever from a MITM who closes both SSL sessions and proxies
the plaintext."
And it is very important that people who use OpenSSL understand this.
SSLv3's protection against a MITM attack when your custom program
conneects to some other custom program relies on you designing the scheme such
that some equivalent guarantee exists. SSLv3 can't provide that guarantee all
by itself.
SSLv3 provides a mechanism to protect against MITM attacks. It's up to
the program using it to take advantage of that mechanism. You can't say "I use
SSLv3 so I'm invulnerable to MITM attacks", but you can say, "I use SSLv3 as
part of a comprehensive security scheme that prevents MITM attacks".
See, for example:
http://www.pburkholder.com/sysadmin/SSL-mitm/index.php
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
