On Tue, 19 Dec 2000, Thomas Nichols wrote:
> The best method is to not have the SSL certificate and key on the server to
> begin with. I use a non-ip based ssl accelerator.
This not a protection against this attack.
This attack doesn't steal the private key of the host, it only relies on
the "dumbness" of the users, which only clicks "OK" when a warning pops up
(considering that the user doesn't know anything about PKI).
This attack is not against SSL, or SSH, but only against the users.
> Michael Sierchio wrote:
>
> > Eric Rescorla wrote:
> >
> > > This isn't a MITM attack, however.
> >
> > Sorry, Eric -- if you don't know or trust the signer, then you only
> > know that the presenter (could be a MITM) has the private key associated
> > with the pubkey in the cert. This means that a MITM attack is entirely
> > possible. Trust in the CA is required to assure the binding of the
> > SubjectPublicKeyInfo to the DN. That's the feature that prevents
> > the MITM attack. There's also the convention among browser implementations
> > that the CN should be the FQHN, which is a PITA for numerous reasons.
> >
> > Of course, your browser presents no warnings whatsoever for certs
> > signed by any number of CAs that are "trusted" simply because their
> > root certs are bundled with the browser. And unless you manually
> > retrieve a CRL, you only know that a cert was valid when it was
> > issued.
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
Erwann ABALEA
[EMAIL PROTECTED]
RSA PGP Key ID: 0x2D0EABD5
------
Computers can never replace human stupidity.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]