X.509 weakness?
- From: bsd_mike <bsddorin@xxxxxxxxx>
- Date: Sat, 16 Jun 2007 15:32:48 -0000
When I connect to a server using ssh the first time, I get a message
asking
if I really want to connect to this guy.
I replace a server and recycle its IP address, ssh does not want me
connect as the certificate has changed.
So is this a weakness? Say I connect to a server, accept its
certificate and am happy.
Bad guy Garth also snags a copy of the certificate.
The next time I connect to the server, bad guy Garth has changed my
DNS so that
instead of going to the correct server, I go to bad guy Garth's server
who is pretending
to be my server. I look at the CN=www.freesoft.org and say, wow
thats the
server I want and the certificate is good. I am happy.
Am I missing something? Is it possible, by manipulating a DNS server
for a bad
guy to server up a good certificate and have it be undetected by a
client?
-Mike
.
- Follow-Ups:
- Re: X.509 weakness?
- From: Richard E. Silverman
- Re: X.509 weakness?
- From: Anne & Lynn Wheeler
- Re: X.509 weakness?
- Prev by Date: Putty PSFTP hangs on bad username/password?
- Next by Date: Re: winscp through a firewall : how to implement
- Previous by thread: Putty PSFTP hangs on bad username/password?
- Next by thread: Re: X.509 weakness?
- Index(es):
Relevant Pages
|
|
