> I think the question was "are you talking about certificates > with a validating signature?" and I think I answered that... > more or less. If it wasn't clear, then "YES" I am talking > about generated certs that will validate 100% locally.
I remember an exploit specific to IE around 2001 or so, in which IE would accept any cert from one cert vendor as valid, even if the hostname didn't match. I do think that was patched since then. I also remember a big problem with intermediate certs around 2002, which affected pretty much every vendor using SSL. I'm unaware of any current vulnerabilities like this, although obviously that doesn't mean they don't exist. > If by sub-bridge you mean 'the real world' where people know > better than to think ANYTHING is secure on a network when the > 'bad guy' has local access and knows what he/she is doing, > then yeah... that's where I live. Putting faith in SSL to > protect against local attacks is absurd. Claiming that > setting it up 'correctly' protects better against local MiTM > attacks is nothing short of naïve. I'm not really sure what you mean by "local access", or "the real world" for that matter. If by "local access" you mean access (and potential control) of an endpoint in an SSL conversation, then yeah, you've just described the whole problem with "clientless" SSL VPNs in a nutshell. But that's not what anyone here (other than you, perhaps) is talking about, as far as I can tell. And in the real world I live in, when I visit client sites, they are often quite secure, to the point where moving a machine from one wall jack to another requires administrative intervention (and triggers alarms if you do it yourself). And I'm not trying to be a dick about this, to be blunt. I don't think you're trolling. I am not a security expert. There are a lot of things I don't know, to say the least. But your response was essentially "Oooga booga, you should be scared because I say so!" That's not especially convincing. I'm familiar with using, say, Ettercap to capture HTTPS sessions, but again, I've never seen an example where this didn't rely on presenting an invalid certificate to the user. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255251 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
