SSL does not protect against the man in the middle attack because it doesn't validate the identity of the client (which is done with client certificates, and even then I'm not sure if it would help against the man in the middle attack).
SSL is not a flaw in the case. It just doesn't prevent the man in the middle attack, but it doesn't do anything to facilitate it. Back to the original question. You should use SSL because otherwise your traffic travels in cleartext, including username's and passwords, and can be sniffed on the wire at any point along the route. At hacker conventions they often set up a wall of shame, by running a script which sniffs all network traffic and posts the usernames and passwords on the wall for people who use insecure protocols (SMTP, POP3, IMAP, FTP, etc). Even if you use some sort of encryption, it's vulnerable to the man in the middle attack. As mentioned before, this attack is not trivial, as it requires either tricking the person into going to a different domain name and then proxying the requests, or doing some sort of DNS/arp poisoning. The DNS/arp poisoning is not easy either, unless the attacker gains access to your dns records, or is on the local network. If an attacker is able to modify the hosts file on the client computer, he has everything he needs to do a man in the middle attack. These attacks are not done very often in practice, however. There are easier ways to obtain information, such as social engineering. Russ > -----Original Message----- > From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 03, 2006 10:59 AM > To: CF-Talk > Subject: RE: Break it down for n00bs: security problems of non-SSL intrane > t? > > > Because if you're talking about self-signed certs, that's > > been discussed previously > > They weren't discussed, they were mentioned with the assumption that they > won't validate and/or would be easily detected by a prompt to accept them > unless they were stolen or bought... that assumption is wrong. > > It has nothing to do with all the SSL VPN vendors, browser developers - > patches, warnings, etc. > > Best protection? Have a guard stand by every computer on the network and > watch each user's every move because it's the 'only' way to keep it from > happening. > > > -----Original Message----- > From: Dave Watts [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 03, 2006 10:35 AM > To: CF-Talk > Subject: RE: Break it down for n00bs: security problems of non-SSL intrane > t? > > > Again, like I said... I left details out intentionally and I > > won't post them now just because you asked. > > OK. I can understand that you don't want to release this sensitive > information to the world. But typically, one could point to something > which > would describe the existence of a vulnerability without disclosing exactly > how to exploit it. And presumably, this would be a big huge deal to all > the > SSL VPN vendors, browser developers - patches, warnings, etc. So, it seems > to me that either (a) you're aware of some otherwise unknown 0day exploit, > or (b) all the people using SSL/TLS in their products are collectively > hoping that no one notices their fatal flaw until they can patch it. > > To be clear, are you talking about certificates with a validating > signature? > Because if you're talking about self-signed certs, that's been discussed > previously. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255196 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
