Re: Kurt Seifred's article on securityportal

Tue, 19 Dec 2000 10:05:37 -0800 

On Tue, 19 Dec 2000, Thomas Nichols wrote:

> The best method is to not have the SSL certificate and key on the server to
> begin with. I use a non-ip based ssl accelerator.

This not a protection against this attack.

This attack doesn't steal the private key of the host, it only relies on
the "dumbness" of the users, which only clicks "OK" when a warning pops up
(considering that the user doesn't know anything about PKI).

This attack is not against SSL, or SSH, but only against the users.
 
> Michael Sierchio wrote:
> 
> > Eric Rescorla wrote:
> >
> > > This isn't a MITM attack, however.
> >
> > Sorry, Eric --  if you don't know or trust the signer, then you only
> > know that the presenter (could be a MITM) has the private key associated
> > with the pubkey in the cert.  This means that a MITM attack is entirely
> > possible.  Trust in the CA is required to assure the binding of the
> > SubjectPublicKeyInfo to the DN.  That's the feature that prevents
> > the MITM attack.  There's also the convention among browser implementations
> > that the CN should be the FQHN, which is a PITA for numerous reasons.
> >
> > Of course, your browser presents no warnings whatsoever for certs
> > signed by any number of CAs that are "trusted" simply because their
> > root certs are bundled with the browser.  And unless you manually
> > retrieve a CRL,  you only know that a cert was valid when it was
> > issued.
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [EMAIL PROTECTED]
> > Automated List Manager                           [EMAIL PROTECTED]
> 
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
> 

-- 
Erwann ABALEA
[EMAIL PROTECTED]
RSA PGP Key ID: 0x2D0EABD5
------
Computers can never replace human stupidity.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to