[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nanog
Subject:    https man in the middle [was: routing between provider edge and C
From:       "Martin Renschler (EWU)" <Martin.Renschler () ewu ! ericsson ! se>
Date:       2003-01-30 2:12:16
[Download RAW message or body]


It's even worse, a fake certificate from a man in the middle causes a trustworthy \
warning! If a certificate is not co-signed by any of the Browser compiled-in \
authorities, the Browsers will just ask: "...do you want to trust <company>". The \
hacker is completely free to fill in <company> when he creates his own certificate on \
the server side (using plain openssl). This will be the only popup as the fake \
certificate will match the faked URL. Did M$ expect people to say "no" to the fake \
question "Do you want to trust Citibank" when they are in fact trying to connect to \
the real Citibank site? The default behavior of a browser should be to reject \
unsigned certificates and not even ask the question. Currently, there is even no \
warning that <company> was learned from an unsigned certificate. /Martin

(disclaimer... does not necessarily reflect the opinion of my employer...)

> Even supposedly secure things like SSL-protected websites and SSH logins
> are vulnerable due to the simple fact that most people won't think twice
> to say "yes" to SSH complaining that it detected a new host key; or notice
> that they're really talking to a different website (or that the lock icon
> is not showing) - if it looks the same, and its URL is similar-looking
> (l->1, O->0, etc; and with newish Unicode URLs the fun is unlimited).


[prev in list] [next in list] [prev in thread] [next in thread]