On Tue, Feb 14, 2012 at 09:13:11PM +0100, Ralph Holz wrote: > > > It is not so hard really to see the conceptual difference between the two > > cases. But to tools like Crossbear, they basically look the same. > > Why? Crossbear sends the full certificate chain it sees to the CB > server, where it is compared with the full chain that the CB server sees > (plus a few more servers, too, actually, that it can ask). Convergence, > AFAICT, does the same. If you're inside the corporate network, the > certificate chain in the SSL handshake cannot be the same, and both > systems will detect them.
In both cases, Crossbear will detect a MITM device, yes? But in one case, the device is authorized to sign for the entities it's signing certificates for, and in the other, it's not. This does not in any way diminish the usefulness of Crossbear as a tool for detecting MITM devices. But what's interesting about what happens in these two cases is that it's _whether the user is being deceived_ that differs. Crossbear can't know that -- the user has to supply the knowledge of whether there is, in fact, an authorized MITM in place. And that is precisely what is wrong with what Trustwave did: they tried to make it look like there was no MITM in place instead of an unauthorized one, where in this case "authorized" means "the administrator of the client node positively agreed to have that node's traffic MITMed". Thor _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
