> Hello David, > I would like to learn more on MITM in this particular scenario. I > used to believe that if a server is using a signed certificate, > the MITM is not possible (Is it possible with techniques like DNS > poisoning?). Looks like I missed something important. Could you > point me to the information on this?
It's really quite simple. A signed certificate does not itself stop a MITM. What stops a MITM is the combination of two things: 1) The real server having something the MITM does not have, and 2) The client verifying that something in a way the MITM cannot fake. If you have both of those two things, you don't have to worry about a MITM. In the typical Internet/browser case, if I go to https://www.amazon.com, I am relying on my browser to make sure that the certificate presented has 'www.amazon.com' as the name the CA is vouching for and I'm relying on no CA that I trust issuing such a certificate to a MITM. So long as those two rules apply, I am fine. The case I was talking about is where you allow the server to use a self-signed certificate or for some other reason the certificate does not contain the server's name vouched for by someone you trust. In that case, you need to stop a MITM some other way. The SSL protocol won't do it for you with a self-signed certificate or a certificate not signed by a trusted CA that contains the name the client is trying to reach. Basically, in this case you can use the original SSL authentication to bootstrap a separate MITM detection step. I strongly recommend doing this in a custom application if you use SSL in a way that prevents its normal MITM detection from being effective. In this case, the OP was defeating SSL's normal MITM detection because his server certificate does not contain a name vouched for by a trusted CA. That's why I suggested an alternate means of MITM detection. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
