Re: SSL & Man In the Middle Attack
From: Barry Margolin (barmar@genuity.net)
Date: 01/15/03
- Next message: Rob Slade, doting grandpa of Ryan and Trevor: "REVIEW: "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford"
- Previous message: Stormhawk: "Re: Do I need a router? (pt 2)"
- In reply to: JoshB: "Re: SSL & Man In the Middle Attack"
- Next in thread: JoshB: "Re: SSL & Man In the Middle Attack"
- Reply: JoshB: "Re: SSL & Man In the Middle Attack"
- Reply: Anne & Lynn Wheeler: "Re: SSL & Man In the Middle Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Barry Margolin <barmar@genuity.net> Date: Wed, 15 Jan 2003 15:21:07 GMT
In article <c52a4e65.0301142124.486964d4@posting.google.com>,
JoshB <metrix007@yahoo.com> wrote:
>Anne & Lynn Wheeler <lynn@garlic.com> wrote in message
>news:<8yxpfewt.fsf@earthlink.net>...
>> "NEWS.DFN.CIS" <anyone@nowhere.com> writes:
>> > Hi, I'm a newbie
>> >
>> > I was wondering if SSL was still vulnerable to man in the middle attack?
>> >
>> > E.g., if some one is sitting between me and an trusted server, and
>> > intercepts our handshake during initiation of our secure conversation, isn't
>> > it possible for the middle man to intercept all messages from server to me
>> > (but not from me to server)?
>>
>> server sends client a signed message along with a digital certificate.
>> the client validates the digital certificate (i.e. it is for the
>> server that i think i'm talking to) and then validates the signed
>> message using the public key in the digital certificate (i.e. the
>> server has to be the one described in the digital certificate or
>> otherwise the signed message wouldn't verify).
>
>mitm couldnt fake a digital certificate? mitm could get a copy and
>then send it back to client? or just sniff it and client gets it
>anyway
If it sends the server's real certificate, it will contain the server's
public key. The client will encrypt its response with that public key, but
the MITM won't be able to decrypt it, because that requires knowing the
server's private key.
If the MITM sends a fake certificate, it won't be properly signed by the
CA, so the client should reject it.
This is the whole point of digital certificates -- if you trust the CA,
then they are unforgeable.
-- Barry Margolin, barmar@genuity.net Genuity, Woburn, MA *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups. Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
- Next message: Rob Slade, doting grandpa of Ryan and Trevor: "REVIEW: "Web Security, Privacy and Commerce", Simson Garfinkel/Gene Spafford"
- Previous message: Stormhawk: "Re: Do I need a router? (pt 2)"
- In reply to: JoshB: "Re: SSL & Man In the Middle Attack"
- Next in thread: JoshB: "Re: SSL & Man In the Middle Attack"
- Reply: JoshB: "Re: SSL & Man In the Middle Attack"
- Reply: Anne & Lynn Wheeler: "Re: SSL & Man In the Middle Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
