Re: SSL & Man In the Middle Attack
From: Anne & Lynn Wheeler (lynn@garlic.com)
Date: 01/16/03
- Next message: SomeBlokeCalledRapunzelSyndrome: "Re: Pegasus (Was Re: Do I need a router? (pt 2))"
- Previous message: Jacco Tunnissen: "Re: Current threats?"
- In reply to: Anne & Lynn Wheeler: "Re: SSL & Man In the Middle Attack"
- Next in thread: Lyal Collins: "Re: SSL & Man In the Middle Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Anne & Lynn Wheeler <lynn@garlic.com> Date: Thu, 16 Jan 2003 12:19:48 GMT
Anne & Lynn Wheeler <lynn@garlic.com> writes:
> 3. corrupt the database entry that the information in the certificate
> is taken from. I call this the irony or catch22 exploit. The reason
> for SSL domain name certificates have been issues with the integrity
> of the domain name infrastructure. However, the authoritative agency
> for domain name ownership is the domain name infrastructures. CAs when
> asked to issue a SSL domain name server certificate, check with the
> domain name infrastructure to see if they are actually dealing with
> the owner of the domain name. If that answer comes back "yes", the CAs
> then issue the certificate. The attack that has happened on the domain
so the other part of the irony/catch22
the ssl domain name certificate ... basically amounts to fields
from some account record in a domain name infrastructure database
(possibly asn.1 encoded and then digitally signed) ... the security of
the business process really revolves around the security that the
domain name infrastructure uses for those account records.
not only do ssl domain name certificates owe their existance to
concerns about various integrity issues regarding the domain name
infrastructure ... but the originating business process integrity of
the ssl domain name certificates is dependent on the integrity of the
domain name infrastructure ... one irony/catch22 is while ssl domain
name certificates existance are dependent on concerns about domain
name infrastructure integrity issues ... those certificate's integrity
are based on the integrity of the domain name infrastructure
integrity.
so somewhat from the CA industry there are various suggestions to
improve the integrity of the domain name infrastructure ... in order
that the CA industry can depend on the integrity of the domain name
infrastructure for the information that they manufacture into ssl
domain name certificates. however, improving the integrity of the
domain name infrastructure ... could also be viewed as reducing the
concerns about domain name infrastructure integrity issues ... and
therefor reducing the need for ssl domain name certificates.
from that standpoint ... the ca industry walks a fine line ... they
want to have the integrity of the domain name infrastructure
improved/sufficient so that people can trust the information in ssl
domain name certificates ... but not improved so much as to obsolete
the need for ssl domain name certificates.
-- Anne & Lynn Wheeler | lynn@garlic.com - http://www.garlic.com/~lynn/ Internet trivia, 20th anniv: http://www.garlic.com/~lynn/rfcietff.htm
- Next message: SomeBlokeCalledRapunzelSyndrome: "Re: Pegasus (Was Re: Do I need a router? (pt 2))"
- Previous message: Jacco Tunnissen: "Re: Current threats?"
- In reply to: Anne & Lynn Wheeler: "Re: SSL & Man In the Middle Attack"
- Next in thread: Lyal Collins: "Re: SSL & Man In the Middle Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
