Greg Stark wrote:
>
> Kurt Seifried has written an article (www.securityportal.com) in which
> he claims there are man-in-the-middle attacks against SSL. I think
> his article is wrong, but he has conveniently left off enough technical
> details of his attack so that he can always say he meant something else.
He starts with the following asumption:
The normal user is to stupid to use cryptography.
Meaning:
He will not verify user and issuer certificates.
When an user connects a site with a unknown public key,
the program asks him:
Hey. I don't know this certificate. It is issued by
<Insert Impressing CA name, choosen by the man in the middle>.
Will you accept it ?
The user will click OK.
> I guess I am most curious about just what his man-in-the-middle
> attack is? My guess is that he is claiming his MITM can replace the
> legitimate server certificate with one of his own choosing. I suspect
> Seifried doesn't understand the CN check which is performed by
> SSL clients and outlined section 3 of
> http://www.rfc-editor.org/rfc/rfc2818.txt.
The CN is OK. he replaces the certificate with a self created
certificate
from his own CA.
That the biggest problem in security is between keyboard and chair.
The user has to know what he is doing.
Normal user don't.
So all computer security is faulty...
By
Goetz
--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
