Am Freitag, den 02.02.2007, 16:15 -0500 schrieb James Muir:
> > You can find more and download Odysseus here:
> > 
> > http://www.bindshell.net/tools/odysseus
> 
> It is my understanding that SSL is engineered to resist mitm attacks,
> so 
> I am suspicious of these claims.  I wondered if someone more familiar 
> with SSL/TLS could comment.
> 
> Isn't in the case that the application doing SSL on the client should 
> detect what this proxy server is doing and display a warning to the
> user? 

A unmodified SSL/TLS client should display a warning message, that the
server certificate is invalid or something similar. So this is not a
valid man in the middle attack agains SSL/TLS.

Perhaps you are going to use this tool for debugging purpose. If so, you
can perhaps generate a certificat with a private key. The certificate is
installed in your SSL/TLS client as a trusted certification authority
and the certificate and the private key is then used by odysseus to make
this warning messages go away.

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Reply via email to