: Marc Horowitz [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, August 22, 1999 1:24 AM
> To: RL 'Bob' Morgan
> Cc: [EMAIL PROTECTED]; Peter Gutmann
> Subject: Re: going around the crypto
>
> "RL 'Bob' Morgan" <[EMAIL PROTECTED]> writes:
>
>
Marcus Leech wrote:
>
> "Steven M. Bellovin" wrote:
> >
> > It's clearly not automatic, but I suspect it would work
> >
> User behaviour is the weak point here--while the browsers WILL notify
> you that the cert is signed by a CA you don't recognize, they also
> give you the option of acc
"RL 'Bob' Morgan" <[EMAIL PROTECTED]> writes:
>> It is my understanding that MIT has a number of widely-used web
>> applications (eg student registration) that have been using only client
>> certs for authentication for a couple of years with reasonable success.
>> You might say that this makes
Peter Gutman said:
>> Smart cards with thumbprint readers are one step in this
>> direction, although they're currently prohibitively expensive.
American Biometrics (www.abio.com) has their Biomouse II, which I once
heard was supposed to retail around $250 or so. The old finger-only
Biomouse sho
Michael Helm wrote:
>
> > > > The attacker could also present a certficate from a fake CA with an
> > > > appropriate name -- say, "Netscape Security Services", or something that
> > > Right. In which case Netscape brings up a different dialog which
> > > says that the server certificate is signe
"Steven M. Bellovin" wrote:
>
> It's clearly not automatic, but I suspect it would work
>
User behaviour is the weak point here--while the browsers WILL notify
you that the cert is signed by a CA you don't recognize, they also
give you the option of accepting the cert, which most users wi
> This isn't really a problem with the servers though, the problem lies
> in the fact that client-side certs are (effectively) unworkable. I
> know of a number of organisations who wanted to use them and ran into
> so many problems just with pilots involving small numbers of
> (presumably) exper
- Original Message -
From: Peter Gutmann <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, August 14, 1999 6:03 AM
Subject: Re: going around the crypto
[...]
> Smart cards with thumbprint readers are one step in this
> direction, although they're
Alan Ramsbottom <[EMAIL PROTECTED]> writes:
>IE5 gives you one or more warnings (unknown CA, invalid cert date, URL-CN
>mismatch) and asks if you want to proceed.
>
>It can also check CRLs, but the feature is disabled by default (doubtless on
>standards/compatibility grounds).
Performance ground
> At one point, IE wouldn't even give you the option of continuing
> the connection. I'm not sure what it does now.
IE5 gives you one or more warnings (unknown CA, invalid cert date, URL-CN
mismatch) and asks if you want to proceed.
It can also check CRLs, but the feature is disabled by default
> > > The attacker could also present a certficate from a fake CA with an
> > > appropriate name -- say, "Netscape Security Services", or something that
> > Right. In which case Netscape brings up a different dialog which
> > says that the server certificate is signed by an unrecognized
> > CA. A
"Steven M. Bellovin" wrote:
>
> The obvious protection is for users to check the certificate. Most users, of
> course, don't even know what a certificate is, let alone what the grounds are
> for accepting one. It would also help if servers used client-side
> certificates for authentication, sin
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
>The obvious protection is for users to check the certificate. Most users, of
>course, don't even know what a certificate is, let alone what the grounds are
>for accepting one. It would also help if servers used client-side
>certificates for auth
PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Steven M. Bellovin
> Sent: Friday, August 13, 1999 7:17 AM
> To: [EMAIL PROTECTED]
> Subject: going around the crypto
>
>
> The L0pht has issued a new advisory for an routing-type attack that can,
> they say, allow for man-in-
In message <[EMAIL PROTECTED]>, EKR writes:
> "Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
> > > Now, this does require that the CAs that your browser trusts follow
> > > the Common Name=domain name convention, but that's just a special
> > > case of trusting your CAs.
> >
> > The attacker co
Right. But to do that you would most have to install your
homemade CA root cert on their browser, which would probably tip off
most users (at least a few customer would call clueless as to how to install
a CA--I know ours would). The only CAs with commonly accepted root certs
wouldn't let you ge
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
> > Now, this does require that the CAs that your browser trusts follow
> > the Common Name=domain name convention, but that's just a special
> > case of trusting your CAs.
>
> The attacker could also present a certficate from a fake CA with an
>
"Steven M. Bellovin" <[EMAIL PROTECTED]> writes:
> The L0pht has issued a new advisory for an routing-type attack that can,
> they say, allow for man-in-the-middle attacks against SSL-protected sessions
> (http://www.l0pht.com/advisories/rdp.txt).
>
> The implication -- that there's a flaw in SSL
In message <[EMAIL PROTECTED]>, "MIKE SHAW" writes:
> It's my understanding that in order to exploit this, you'd have to essentiall
> y
> set yourself up as a proxy after sending the RDP advert If this is the case,
>
> wouldn't the fact that the man in the middle did not have the cert that
> co
It's my understanding that in order to exploit this, you'd have to essentially
set yourself up as a proxy after sending the RDP advert If this is the case,
wouldn't the fact that the man in the middle did not have the cert that
corresponded to the domain name cause at least one warning for most
The L0pht has issued a new advisory for an routing-type attack that can,
they say, allow for man-in-the-middle attacks against SSL-protected sessions
(http://www.l0pht.com/advisories/rdp.txt).
The implication -- that there's a flaw in SSL -- is probably wrong. But
they're dead-on right that the
21 matches
Mail list logo
