Actually,
You are trusting the user to do the right thing. Historically, users
don't always do the right thing. Hence, why I want a technology to
protect data and not a human being.
Tim wrote:
>> (assuming the admin doesn't notice the cert changes and all that good
>> stuff.)
>>
>
>
> There's your problem. If you assume this, you will always be vulnerable
> to MitM if the software you're using allows you to communicate anyway.
>
> If you're SSH client lets you connect to systems whose keys have
> changed, same problem. If your VPN client allows it, same problem.
>
> This is why I wanted you to think about what you are trusting in the
> first place. You are trusting your CA and the certificate chain. If
> you can't do that, then you have no trust.
>
> tim
>
--
Regards,
Adriel T. Desautels
Harvard Security Group
http://www.harvardsecuritygroup.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
