----- Original Message ----- > From: "Kurt Roeckx" <[email protected]> > To: [email protected] > Sent: Thursday, 31 July, 2014 9:54:45 AM > Subject: Re: Dynamic Path Resolution in AIA CA Issuers > > On 2014-07-31 01:29, Ondrej Mikle wrote: > > I should probably add that a MitM attacker like an ISP can generally tamper > > with > > certificate chains sent in TLS handshake anyway, but AIA fetching would > > allow an > > adversary more hops away on a different continent to tamper with the > > connection. > > How would an ISP tamper with the certificates send in TLS without TLS > giving an error that the packets were tampered with?
Because until you parse the certificates and validate the signatures you have no way of knowing if the packets you receive are coming from the server or the MitM box at the ISP. -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
