On Mon, Jul 28, 2008 at 11:49:51AM -0400, Joe Guan wrote:
> Hi folks,
>
>
>
> From my understanding that if a TLS/SSL client is using client certificate,
> the compromise of its private key alone won't allow man-in-the-middle attack
> if ciphers are selected properly (of course anonymous ciphers are
> vulnerable) - as the man-in-the-middle cannot forge the signatures made by
> the server side. This being said, having other credentials, the hacker could
> impersonate the client whose private key was stolen.
>
If the user is not verifying the server cert, then compromise of the
client key enables an MITM attack.
Irrespective of that, the attacker can impersonate the user by
connecting directly, assuming the client key is sufficient for user
authentication.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
