Maybe I'm a bit naïve in this department, but isn't the following pretty well fact:
1 - MitM attacks were initially born from Wireless Network Hacking, not on location. 2 - A good business based Switch or Firewall, properly configured can and will prevent / alert against most inhouse hacks / exploits. 3 - The skills needed to pull a hack of this sort would basically mean that at one point your company hired a professional security expert, thus opening the door anyways? 99.9999% of computer users wouldn't know where to start when it comes to hacking SSL. They don't understand the client / server communication nor do they understand the encryption algorithms. I've personally got a couple security guys I use to handle audits for my clients and though they have ways of pulling this off, it's extremely difficult... and it's all they do. !k -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, October 05, 2006 11:13 AM To: CF-Talk Subject: RE: Break it down for n00bs: security problems of non-SSL intrane t? > Ok, I think I've made it clear that a mitm does not have to > modify payloads in order to be successful ... Wouldn't the payloads need to be modified, if they're encrypted using SSL? If you trick the client into talking to your machine instead of the intended host, and you present a certificate that isn't identical to the intended host's certificate, you would need to decrypt the content with your certificate. You'd then have to encrypt that content with the intended host's certificate. While the actual data you're interested in reading will not have changed, the information in the packet you received from the client will not be the same as the information in the one you send to the intended host, right? That seems to me to be the behavior of a proxy, not a router. Routers rewrite transport layer stuff, but you'd need to rewrite application layer stuff (I think those are the two relevent OSI layers, but I'm too lazy to check). And, I'm not trying to upset you or anything. I'm genuinely interested in figuring this out. You mentioned previously that it would be possible to either use the intended host's certificate or present a certificate of your own that doesn't trigger a warning message on the client. Did I understand you correctly? If so, can you point to anything about that at all? If not, I apologize for misinterpreting you. Thanks! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255690 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
