Right. But to do that you would most have to install your
homemade CA root cert on their browser, which would probably tip off
most users (at least a few customer would call clueless as to how to install
a CA--I know ours would). The only CAs with commonly accepted root certs
wouldn't let you get one from them without checking your credentials first.
So it looks like unless you compromised the target server first and somehow
stole their SSL certificate, you'd have to create your own that matched the
domain name and that would make the exploit very untransparent to the
exploited user. Unless of course, there is an easy way to make commonly
accepted certificates without authentication--which would be a fatal flaw in
the whole protocol.
Don't get me wrong, I'm not downplaying the significance of the L0pht's
advisory at all. I'm just trying to get a grasp on the implications.
-Mike
>>>Not as a proxy, since that's a different protocol from the host, but as the
end-system. Yes, you have to issue yourself a fake certificate, but I suspect
that that's not an insurmountable problem. And of course, that certificate is
signed by someone you've invented with a plausible name -- probably something
corresponding to the name of the site you're impersonating. Say, "Amazon.com
Electronic Security Services" or some such.
