Re: Cracking SSL

From: Mack (macckone_at_a_nospamjunk123_ol.com)
Date: 10/13/03

• Next message: Mack: "Re: unprovability of the security of computational cryptography"
• Previous message: Marc Olschok: "Re: The Passing of a Mathematician"
• In reply to: Anne & Lynn Wheeler: "Re: Cracking SSL"
• Next in thread: mhamrick: "Re: Cracking SSL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 13 Oct 2003 12:16:07 GMT

On Sun, 12 Oct 2003 13:57:56 GMT, Anne & Lynn Wheeler
<lynn@garlic.com> wrote:

>"Roger Schlafly" <rogersc@mindspring.com> writes:
>> Possibly secure, depending on how it is used. As SSL is commonly
>> used, there are various attacks possible. Eg, most people do not
>> use client certs, so a man-in-the-middle attack is possible.
>
[snip]
>
>So from the standpoint of "commonly used" .... the user may typically
>provide the initial, non-ssl URL for the shopping experience ... but
>when it comes to the most widely use of SSL ... the user clicks on a
>button at the shopping website to enter the SSL environment ... and
>most users pay little or no attention to the URL that the button
>serves up. A comon exploit is to be at a bogus shopping site (with no
>SSL) ... and then have a user hit the checkout button to enter the SSL
>sesssion. The URL that the checkpoint at the bogus shopping site
>caughs up turns out to be identical to the domain name of the bogus
>shopping site ... and of course the SSL validation proves that the
>domain name in the (bogus) URL, in fact matches the domain name in the
>supplied certificate.

That really isn't MITM attack. In this case Fred really is Fred but
he is defrauding Alice. There really isn't any effective way to stop
a vendor from failing to deliver goods promised or misusing
credit card information once they have it.

>
>The issue, of course, is that the breadth of MITM protection specified
>by the technical SSL description ... is significantly less than the
>breadth of MITM exploits available to people wanting to do fraud. In
>some ways, it is like saying that SSL specifies the security of the
>bank vault door ... but washes its hands of any issue regarding bank
>vault doors being placed in empty fields .... it isn't their fault
>that the crooks can walk around the door since there are no walls,
>floors, ceilings, etc.

Brick and mortar businesses communtities haven't found a
way to keep people from setting up fraudulent brick and mortar
businesses either. In the case of construction fraud it really
is brick and mortar.

Leslie 'Mack' McBride
remove text between _ marks to respond via e-mail

---

• Next message: Mack: "Re: unprovability of the security of computational cryptography"
• Previous message: Marc Olschok: "Re: The Passing of a Mathematician"
• In reply to: Anne & Lynn Wheeler: "Re: Cracking SSL"
• Next in thread: mhamrick: "Re: Cracking SSL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)