It's actually "man in the middle" and it refers to someone who manages to
insert themselves between two end points of a connection and then pretend
that they are one of the end points.
Here is an excerpt from http://www.safeinternet.com/publicencryption.html
that illustrates the issue - it relates to PKI but can equally apply to
the web.
=======================================================================
Assume for a moment that someone with a fast connection to the Internet
can see the traffic between the Certificate Authority and everyone else.
Due to the nature of the Internet, this is more likely today than not. As
they watch the traffic they see a request to the Certificate Authority go
by asking for a copy of a Public Key. If this individual were so inclined,
he might impersonate the Certificate Authority and send a Public Key to
the user, but not the Public Key the user intended. Instead the
Public Key sent is the impostor's Public Key, not the Public Key from the
Certificate Authority. The user, not being able to prove the identity of
the Certificate Authority, would accept the false key and use it to
encrypt their data, and then send the presumed secure data out
onto the network.
The user in this scenario has had to Implicitly Trust the Certificate
Authority and use whatever information was supplied by the supposed
Certificate Authority. There was no proof of the identity of
the Certificate Authority, nor was there proof that the Public Key in fact
belonged to the secure server.
The unscrupulous network user could now take the presumed secure data,
decrypt it, since it was encrypted with their key, look at it, and then
re-encrypt it with the secure server's Public Key that was provided by the
Certificate Authority, and send it on its way to the secure server.
Neither the user, nor those managing the secure server might ever notice
that the data has been intercepted, and perhaps altered.
This network attack is known as the Man In The Middle Attack, and is made
possible because Public Key encryption relies upon users implicitly
trusting whatever message they receive from a system claiming to be the
Certificate Authority. There is no method to prove the identity of the
Certificate Authority.
This potential security risk is also the reason why many secure sites,
such as military sites, will not use Public Key encryption.
===================================================================
Larry Chin {[EMAIL PROTECTED]} Technical Specialist - ISC
Sprint Canada 2550 Victoria Park Avenue
Phone: 416.496.1644 ext. 4693 Suite 200, North York, Ontario
Fax: 416.498.3507 M2J 5E6
===================================================================
On Sun, 4 Jul 1999, Javier Romero wrote:
> Hi again!
>
> Is the phrase "manin the middle attack" right?
> If it is so. What does mean "manin"?
>
> I read it in a manual about Web Spoofing.
>
> TIA.
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
