From: Tony Nelson <[EMAIL PROTECTED]>
tnelson> On Mon, May 01, 2000 at 08:44:17AM -0600, Mike Nigbor wrote:
tnelson> > OK, so how does this differ from a "man-in-the-middle" attack?
tnelson> >
tnelson> > Since there are two SSL sessions, there must be two session
tnelson> > encryption keys and the proxy must be decrypting and
tnelson> > re-encrypting everything it sees.
tnelson> >
tnelson> > If I'm a client, shouldn't I reject such a connection?
tnelson>
tnelson>
tnelson> It doesn't .. it actually is a man-in-the-middle
tnelson> attack.. however, the "attack" is being done by the
tnelson> corporation that writes your paycheck.. and there are very
tnelson> valid reasons for a company to be doing such things.. as a
tnelson> client, (or server) you really have no way of detecting that
tnelson> this is happening..
I understand that some corporations choose to do that, although I do
not agree with that kind of practice. What I can't understand is how
it would go undetected, at least of the client or server does
certificate verification (and I'm especially thinking of servers that
might have a very strict check on the client certificate)...
tnelson> Basically, you end up w/ this picutre..
tnelson>
tnelson> -------- ------- ----------
tnelson> | user | --- session 1 --- | f/w | --- session 2 --- | server |
tnelson> -------- ------- ----------
--
Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
