Hi, >> As Crossbear's assessment is not something everyday users will >> understand, we ourselves view Crossbear as the tool that, e.g., a >> travelling security afficionado/hacker/interested person might want to >> use, but not your average guy. Our goal is to find out how many Mitm >> actually happen, and how, and where. That's why Crossbear has this >> second component, the hunting tasks. > > Interesting -- will this work, in the case of authorized MITM of the > network the client's on? The second SSL connection will always fail, > since the MITM device will MITM it. Perhaps there should be an option > to retrieve results separately and later?
Yes, things start to become difficult when the middle-box goes and actively meddles with the messages the client sends to the server. That sure is a dedicated attacker now that is also built to defeat Crossbear. We have the CB server's cert hard-coded in the client, so we can encrypt to the server and check its signatures, too, and be sure who's talking to the client. If the attacker starts to drop CB server messages, our first reaction is to warn the user that there might be foul play and that he's now unprotected. Unfortunately, there's no way to distinguish deleted messages from network outage or similar faults. So, yes, we have thought about extending Crossbear to a) store the results and try to send them later (should work for mobile devices) or b) try and switch to other channels. We're not quite sure about the latter as the question is really how much power your attacker has. Use the user's mail client and create a mail, anonymous FTP, WebDAV - OK. Maybe a Tor hidden service for the extreme cases? None of these is built-in so far. BTW, what we do not address is an attacker sending us many forged chains and/or traces. We don't want clients have to register with our server and obtain an identity. That's a sore point. Ralph -- Ralph Holz Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
