Stephan Bauer wrote:
>
> Hi,
>
> I would enjoy hearing some opinions on the following
> potential scenario :
>
> The SSL-Client does no client-auth. and has to transmit
> one string, that contains security-sensitive data.
> Let's think of a man-in-the-middle you leaves through
> the handshake-packets, but blocks the data-packets.
> He then performs a brute-force-attack on the sent data,
> and opens a completely new SSL-Connection with the server,
> transmitting the data, that the server expects to receive
> from the one real client.
>
> I know, with client-auth. you could avoid this, but some
> customers of our solution might not be able to configure
> their server for client-auth. So how realistic do
> you think this to be ?
I don't see what gain you have by MitMing that you wouldn't get by
sniffing. Apart from giving yourself away by introducing a huge delay,
that is.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
