> >Ahha! I know what we'll do, we'll require certificate authentication! > >Ok, assuming I have a list of the major CAs and the the certificate > >verified correctly > > You're missing the point. A hijack or redirect is not a MITM > attack. These words have specific meaning, which you are abusing.
No, I'm not. I promise you. Perhaps we're working from two different dictionaries, but the one I use (network security lingo) clearly does define that as one of the definitions. Think Dug Songs' dsniff (http://www.monkey.org/~dugsong/dsniff/ which provides MITM for ssh, https, etc. > Authentication != Authorization Correct. Agreed. > >Yes, this is a 100% valid definition of MITM. At least to us > >security/network folks. SSL was designed to *provide you the > >ability* to prevent MITM attacks, but you need to do all the > >checks above, it doesn't just happen by itself. > > You are simply mistaken. SSL is -IN SE- proof against MITM > attack. It is computationally infeasible to succesfully interpose > and perform the handshake between a client and a server in a non-anon > setting. > > If you connect to and authenticate the wrong server, that's > not a MITM. Ok, let's take a vote. All who think this can be called MITM, please respond to /dev/null. Those who do not, please respond to /usr/../dev/null. So, what would you call it if someone interposes themselves in between you and the endpoint and you do not know that they are there? Is there not a generic term for it? Wouldn't that be.... oh never mind. I'm exiting this thread now. -- Brian Hatch "Ouch! That's really painful." Systems and Reegen, 23 months, Edinburg, Security Engineer Scotland, 3am, as part of a http://www.ifokr.org/bri/ several hour long attempt to get out of her crib. Every message PGP signed
pgp00000.pgp
Description: PGP signature