On Thu, Dec 1, 2011 at 5:11 PM, Adam Back <[email protected]> wrote: > btw if client certs are being used or TLS-SRP ciphersuite these attacks > would not work because SSL negotiation would fail. Unless the MitM could > create fake client certs on the fly also that would be acceptable to the > server.
Right, because those involve a channel binding (internal to the channel itself). OBC doesn't detect the MITM though if the MITM re-writes the cookies in the requests and responses. In particular, if passwords are POSTed in forms, the MITM gets them, though if origin bound cookies are already in use by that point then the MITM has to rewrite them. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
