> Well first of all if you don't use a real certificate > authority, but install a self generated certificate, then > using the man in the middle attack, the other pc can install > a self generated cert, and you wouldn't know it, since all > you would get is a warning. This of course requires dns/arp > poisoning to implement.
Yes, self-signed certificates do not provide the validation that comes with a certificate signed by a trusted certificate authority. That is one of the obvious limitations of self-signed certificates, I would think. > If you use a real certificate from one of the certificate > authorities, the man in the middle can do 1 of 2 things > (after they've done the dns/arp poisoning). > > 1. Steal the certificate from your server and install it on > theirs 2. Somehow get access to make changes to the domain > registration or to read the domain registration contact > emails, and then buy their own certificate. Note that I didn't say it couldn't be done. I said it would not be trivial. I think you've just demonstrated that, with your explanation. Multiple security vulnerabilities would need to exist. And if I could steal the certificate from your server, I doubt I'd need to go to all this trouble, as I'd obviously have some sort of control over one of the two vulnerable SSL endpoints, and I could probably just query the databases, etc, directly anyway. > The scenario you've presented where the user goes to 'bad' > site and the 'bad' site accesses the 'good' site as a proxy, > the 'bad' site administrator can buy the certificate for > their domain name, and no warning will be issued. In your > example, I would buy a certificate for tra1ning.fugleaf.com > and trick the user into going there. This is certainly more viable, as the current success of phishing exploits demonstrates. However, within the context of an intranet environment - the environment described by the original poster - this is much less likely to succeed. Most employees presumably know the domain name of their employer, for example. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255103 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
