> SSL does not protect against the man in the middle attack > because it doesn't validate the identity of the client (which > is done with client certificates, and even then I'm not sure > if it would help against the man in the middle attack).
Why wouldn't it, exactly? Client certificates use the same sort of functionality that server certificates do, as far as validation goes. If you need to validate both endpoints, you will need certificates on both. But in my experience, this is pretty common in large enterprises - many large organizations run their own certificate authorities just for this. > If an attacker is able to modify the hosts file on the > client computer, he has everything he needs to do a man in > the middle attack. Of course, at this point, the attacker can do all sorts of things without resorting to that kind of attack. But yes, both the client and the server must be adequately secure to prevent these sorts of things. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255228 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
